What is TLS?
Transport Layer Security (TLS)
and its predecessor, Secure Sockets Layer
), both frequently referred to as "SSL", are cryptographic protocols
that provide communications security
over a computer network
- Encryption protocol that ensures privacy between communicating applications and their users online
- Ensures no 3rd parties can eavesdrop or tamper with messages when servers and clients communicate
- Successor to SSL (Secure Socket Layer)
Did PCI 3.1/3.2 make a change regarding TLS?
In 2014, the US National Institute of Standards and Technology (NIST) declared TLS 1.0 to be unacceptably weak and unsafe cryptographic protocol. Accordingly, the PCI SSC has mandated that TLS 1.0 must be disabled by June 30, 2018 (per PCI 3.1 and PCI 3.2). All payment application providers are required to update to (at least) TLS 1.1 - if not TLS 1.2 - by this deadline.
Does this change affect Cayan's services?
Cayan's gateway has supported TLS 1.1 and 1.2 since at least mid-2014. In accordance with the PCI SSC's mandate, on July 1, 2018, Cayan will be disabling support for TLS 1.0 in all of its products, including (but not limited to) Genius, Transport.Web, MerchantWare, and its portals.
As a POS provider, how does this change affect me?
Cayan's products are largely provided as a collection of HTTPS based web services. All communications between your POS and our payment gateway are thus secured using TLS. If your POS is deployed on a system that doesn't support newer TLS versions (eg. any version of Windows before Windows 7), you may be unable to make payments using Cayan's solutions come July 1, 2018.
What guidance has the PCI SSC provided?
Fifteen years ago, SSL v3.0 was superseded by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. To date, SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
Please see the PCI SSC Guide on Migrating from SSL and Early TLS.
As an eCommerce shopping cart provider, how does this change affect me?
Cayan's primary online shopping solutions, Checkout and TransportWeb, both communicate with Cayan's servers using HTTPs. If your users are using older browsers or operating systems (eg. Windows before Windows 7), they may be unable to make payments using Cayan's solutions come July 1, 2018.
If your web servers communciate with Cayan's payment gateway, these will also need to use TLS 1.1/1.2.
How can I tell which version of TLS my application is using?
A tool like Wireshark can help. See https://wiki.wireshark.org/SSL
Is there a quick way to tell if my POS might be affected?
You (or your merchants) are more likely to be affected if your POS or server:
- Uses an older version of Windows (i.e. before Windows 7 or Windows Server 2008 R2). This includes:
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008 R1
- Windows POSReady 2009
- Uses an older version of Java (Java 6 or earlier)
- Uses an older version of OpenSSL on a Linux/MacOSX/Unix environment (i.e. before OpenSSL 1.0.1).
You (or your merchants) are less likely to be affected if your POS:
- Is based on tablet or mobile technologies (i.e. Android or iOS)
- Is browser-based, and you are using a recent version of your web browser
- This is especially true for Chrome and Firefox. If you use Internet Explorer, please see the notes about "older versions of Windows" above to see if you're likely affected.
- Uses recent versions of Windows, Linux, MacOSX, or Java
Can I test if my POS works with TLS 1.2 using Cayan's gateway?
Absolutely. We have a lab available for partner testing that only requires you to edit your point of sale's "hosts file" or DNS within your control (eg. a wireless router within your lab). The lab's IP is 22.214.171.124. This lab points at Cayan's Chicago production envionrment, and is not subject to any SLAs, including uptime. Please reach out to our Integrations Team via <integrations at cayan dot com> for assistance.
My POS/Web Server uses Windows. Help?
The below table is a quick reference guide regarding which versions of Windows support TLS 1.1 and 1.2.
Please note that if you are using Windows 7, Windows Server 2008 R2, or Windows 8, Windows has support for TLS 1.1 and TLS 1.2, but it is disabled by default
. These can be changed in a number of ways - the simplest being the "Internet Option" dialog in your Control Panel.
Below are a number of resources from Microsoft regarding TLS support on Windows
API changes for .NET, Java, and cURL to enable TLS v1.2
SecurityProtocol property to enable TLS v1.2.
For details on how to use the SecurityProtocol property, visit:
For example, to force TLS v1.2 in a C# .NET implementation, you would use:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
NOTE: JDK 8 will use TLS v1.2 as default:
For JDK 7, use the
SSLContext.getInstance method to enable TLS v1.2.
For details on how to use the
SSLContext.getInstance method, visit:
For example, to use the default security layer provider to enable TLS v1.2, you would use:
object = SSLContext.getInstance("TLSv1.2");
To force TLS v1.2 while using Oracle’s Sun Java Secure Socket Extension (JSSE), you would use:
object = SSLConnect.getInstance("TLSv1.2", "SunJSEE");
CURLOPT_SSLVERSION option to enable TLS v1.2.
For details on how to use the
CURLOPT_SSLVERSION option, visit:
In cURL version 7.34.0 or later, use the following examples to force TLS v1.2:
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
curl_setopt($curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
- Cayan Partner Presentation - PCI 3.2: Disabling TLS 1.0
- Slide Deck
- Webinar (available after April 12, 2017)