Find Answers

Find Answers

Specified Languages
British English
English

CyberSource Security Updates - Spring/Summer 2017


Doc ID:    C1743
Version:    4.0
Status:    Published
Published date:    03/10/2017
Updated:    03/10/2017
 

Answer


In an effort to ensure that merchant-secure communications to the CyberSource platform remain as secure as possible (both browser-based as well as server-to-server communications), CyberSource will be eliminating support for certain older and less-secure forms of Transport Layer Security (TLS) communication in the coming months.
 
In mid-April, we will start denying secure connections that attempt to utilize "Triple DES" security ciphers in their handshake attempts.  This means merchants will need to ensure that the servers and/or network appliances that are opening secure connections to CyberSource platforms use more modern and secure ciphers in those requests.
 
In mid-May, CyberSource will be eliminating usage of RC4-based cipher suites in secure connection requests made explicitly to our Batch Upload, Account Updater, or non-Akamai-enabled API endpoints.  RC4 cipher suites had previously been dropped as supported ciphers for other kinds of connections to CyberSource; we are merely updating these two endpoints to use this same logic as well.
 
Beginning at the end of April for browser-based endpoints, and for all server-to-server connections by the end of June 2017, CyberSource will begin mandating the use of TLS version 1.2 for all inbound connections.  This change is in line with the gathering momentum within the payments industry to eliminate usage of the older versions 1.0 and 1.1 of the TLS protocol, both of which have been determined to be problematic in the past couple of years.
 
In order to review current infrastructure and configurations, most merchants will want to work either with their internal Networking/IT teams or those of their hosting provider if servers or network hardware initiating client-side secure connections are housed at a hosting provider.  CyberSource can detail our planned changes, but cannot, by and large, walk merchants through their own environments to find and change these network settings, as that will vary per merchant and per environment.
 
 
The approximate schedule of these changes is as follows:
 
EOL of DES-based Ciphers (Web and API endpoints) Mid-April 2017
EOL of RC4-based Ciphers (API, Batch Upload, Account Updater endpoints) Mid-May 2017
EOL of TLS 1.0/1.1 for Web Portal Connections  Late April 2017
EOL of TLS 1.0/1.1 for Server/API Connections Late June 2017


The following FAQ is aimed to help answer some basic questions about these upcoming changes, the reasoning for them, as well as potential merchant actions required for those that need to make changes.
 
 

FAQ

When are these various changes targeted to be rolled out to the Production CyberSource environment?


Please see the dates below for each change:
 
EOL of DES-based Ciphers (Web and API endpoints)      Mid-April 2017
EOL of RC4-based Ciphers (API/Batch Upload/Account Updater)  Mid-May 2017
EOL of TLS 1.0/1.1 for Web Portal Connections  Late April 2017
EOL of TLS 1.0/1.1 for Server/API Connections Late June 2017
 

As a merchant, how can I ensure that my systems are using the appropriate protocol versions and cipher types to ensure uninterrupted communications with CyberSource?


There are two pieces to this answer: How to 'monitor' your current connections to see what is happening, and how to 'set' the connection characteristics that your client side server or application is requesting when contacting CyberSource.
 
In order to monitor connections and/or transaction request activity when making connections to CyberSource, you would need to set up a network monitor that can track the outbound connections from your server and/or network device to track which protocols and/or ciphers are being used to secure that connection.  Real-time logging of this network-level traffic, using WireShark or some similar network monitoring tool, should show which protocols and ciphers are in use for a given connection.  You will want to ensure that TLS 1.2 is the protocol, and that no "DES" or "RC4" ciphers are in use.
 
Should you find that a lesser version of TLS (v1.0 or 1.1) is in use, or that your systems are opening connections with either a "DES" or "RC4" cipher suite in use, you will want to look at the server and/or network appliance that is creating the connection request, and attempt to update its configuration to use more modern settings.  TLS v1.2 should be the protocol, and any number of more modern and secure ciphers will be acceptable.  Please see the item below on Best Practices for specifics on this topic.
 
The exact location of where you need to set these configurations will vary, depending on your particular infrastructure and/or hosted environment.  The server and/or network device initiating the outbound call to CyberSource endpoints is the one that will normally control the characteristics of that TLS ‘handshake’, and is where those configurations should normally be addressed.
 

What are the current Best Practices that should be noted when setting using a modern browser and/or setting up a new server-to-server connection to CyberSource that relies on TLS to secure the connection?


Only TLS version 1.2 should be used.  Earlier versions are about to be End-of-Life'd.  Within the TLS 1.2 protocol, any of many modern ciphers suites may be used to initiate the secure handshake, but here are some preferred characteristics:
  • ECDHE and AESGCM ciphers are preferred.
  • Perfect Forward Secrecy (PFS) cipher suites are preferred but not required.
  • Keyed hash functions must be used with either SHA-2 or SHA-3. SHA-1-based functions are not allowed.
  • Authenticated encryption modes (e.g. AES GCM, ChaCha20-Poly 1305) modes must be preferred first over other AES modes (e.g. AES-CBC).
 

What is Transport Layer Security (TLS)?


Transport Layer Security (also known as TLS) is a cryptographic protocol used to secure the communication of data across a network.  Within the overall protocol, specific cipher sets may be used to do the actual encryption.  More information can be found here:  https://en.wikipedia.org/wiki/Transport_Layer_Security
 

What are Data Encryption Standard (DES) ciphers?


DES ciphers are instances of a block cipher used as part of an encryption protocol for the securing of data passed across networks.  More information can be found here:  https://en.wikipedia.org/wiki/Data_Encryption_Standard
 

What are RC4 ciphers?


RC4 ciphers are instances of a stream cipher used as part of an encryption protocol for the securing of data passed across networks.  More information can be found here:  https://en.wikipedia.org/wiki/RC4
 

Rate This Item