TLS security protocol important upgrade
- 3 min read
In order to provide merchants with the highest level of security for their online transactions, and as required by PCI DSS v3.2, the security protocol for exchanges on the Internet TLS version 1.2 becomes mandatory.
Versions 1.0 and 1.1 of the protocol will no longer be accepted on the Dalenys platform, starting March 31st 2018. Thus, as merchants, we invite you to verify your environment as of now, and plan your servers’ upgrade if necessary. The upgrade towards TLS 1.2 has been deployed on our sandbox environment: you can already check if your transactions are properly accepted.
1- What is TLS?
Transport Layer Security (TLS) is a protocol used to encrypt HTTPS exchanges. When a server and a client communicate, TLS ensures that no third party can listen or counterfeit the messages. TLS replaces the Secure Sockets Later protocol (SSL).
2- What are the impacts for merchants?
Impacts for merchants, and the necessary migration towards TLS 1.2 depend on the payment form used on the e-commerce website.
- I use a DirectLink payment form (in addition to payments, other operations like export, refund, etc. are made with DirectLink). Am I impacted?
If you accept payments with a « DirectLink » payment form, the requests to the Dalenys platform are impacted. You must check your environment, and migrate to TLS 1.2 if necessary.
- I use a “hosted fields” payment form. Am I impacted?
If you accept payments with a « hosted fields » form, the requests to the Dalenys platform are impacted. You must check your environment, and migrate to TLS 1.2 if necessary. For impacts on consumers, please see question 3.
-NEW- « Hosted fields » mode, now available, provides the highest flexibility in your payment pages customization, without any compromise on security. Contact your Payment Manager to set it up!
- I use a non customized payment form. Am I impacted?
If you accept payments with a “non-customized form”, as merchants you are not impacted. For impacts on consumers, please see question 3.
- I use a customized payment form. Am I impacted?
If you accept payments with a “customized form”, the requests to the Dalenys platform are impacted. You must check you environment and migrate to TLS 1.2 if necessary. For impacts on consumers, please see question 3.
- I use POS/MPOS. Am I impacted?
If you accept payments with “POS/MPOS”, you are not impacted: deactivation of TLS 1.0 and TLS 1.1 only concerns online transactions, and not in-store transactions.
3- What are the impacts for consumers?
If the card holder uses a browser or a device which doesn’t support the TLS 1.2 security protocol (in particular if he uses an obsolete web browser, based on TLS 1.0 and/or TLS 1.1), the payment page won’t be displayed.
There will be no specific alert on that issue. The card holder will have to upgrade or switch to an up-to-date web browser. We invite you to inform your website’s visitors with a banner or a pop-up type of alert.
You can visit the Wikipedia page dedicated to TLS protocol, which provides a global overview of the compatibility between browsers and TLS 1.2 (see section “web browsers”).
4- Do external resources exist to evaluate my current implementation of TLS?
In order to test your implementation, you can use online external tools to check your client and/or server TLS configuration. We invite you to contact your Dalenys Payment Manager to support you in this process.
5- What does happen if my security protocols are not up-to-date?
PCI Council asks Payment Service Providers like Dalenys to refuse the protocols which are not considered as secure anymore. It means that exchanges made with obsolete protocols won’t be considered as secure by our payment engine and will fail.
Please don’t hesitate to contact your Payment Manager, should you have any question.