What is TLS?
Transport Layer Security (TLS) is an encryption protocol used to communicate between systems, which superseded the Secure Sockets Layer (SSL) protocol in 2000. TLS v1.0 has in turn been superseded by TLS v1.1, TLS v1.2 and TLS v1.3.
Per PCI DSS v3.1 and v3.2, SSL and early TLS (TLS v1.0 or TLS v1.1) are no longer considered strong encryption protocols, due to vulnerabilities in these protocols to which there are no fixes. TLS v1.2 and TLS v1.3 are currently PCI compliant.
How does it impact me?
Customers are required to support at least TLS v1.2 for their connection to the Maxpay Platform. TLS v1.0 and v1.1 are disabled since 2018. Customers who do not support at least TLS v1.2 will no longer be able to connect to the service. The list of ciphers that are supported is available below. Customers need to support one of the available ciphers from this list to continue connecting to the Maxpay Platform.
TLS v1.0 and TLS v1.1 are disabled for all services. Customers are required to use a TLS v1.2 or TLS v1.3 to ensure they can continue to access our services. It is recommended to choose TLS v1.3 as tests have shown that this can be up to 15% faster on the TLS Handshake.
If my organization’s connection does not support TLS v1.2, what do I need to do next?
If your connection to the Maxpay Platform uses TLS v1.1 or earlier, you will need to update your own systems to ensure that you are connecting using TLS v1.2 or TLS v1.3. Due to the vulnerabilities in older protocols, it is suggested that these changes are made as soon as possible. Below is a list of ciphers that are supported. Your organization will need to verify that your systems support one of the available ciphers from this list to continue connecting to the Maxpay Platform.
TLS v1.3 (suites in server-preferred order)
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
TLS v1.2 (suites in server-preferred order)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
If your organization is not able to upgrade to TLS v1.2 or TLS v1.3 the service will no longer be able to connect to the Maxpay Platform.
If I am already using TLS v1.2 or TLS v1.3, do I need to do anything?
If you are using TLS v1.2 for communication, the cipher suite compatibility needs to be verified, see above. If your organization is already connecting to the Maxpay Platform using TLS v1.3, and already using a TLS v1.3 compatible browser, no action should be required.
Compatibilities
Every application implements ciphers and TLS versions differently.
List of not supported server to server connection (merchant configuration):
- Java 6u45 and anything before
- Java 7u25
- OpenSSL 0.9.8y
List of not supported browser configuration:
- IE 11 / Win Phone 8.1 R
- Safari 6 / iOS 6.0.1
- Safari 7 / iOS 7.1
- Safari 7 / OS X 10.9
- Safari 8 / iOS 8.4
- Safari 8 / OS X 10.10
- Android 2.3.7
- Android 4.0.4
- Android 4.1.1
- Android 4.2.2
- Android 4.3
- Baidu Jan 2015
- IE 6 / XP
- IE 7 / Vista
- IE 8 / XP
- IE 8-10 / Win 7
- IE 10 / Win Phone 8.0
- Safari 5.1.9 / OS X 10.6.8
- Safari 6.0.4 / OS X 10.8.4