Posts Gateway TLSv1.0 and TLSv1.1 Removal

Fri 17 November 2017

To increase security for transaction processing, CityPay is requiring TLS version 1.2 to connect. Clients may need to make changes to their payment infrastructure to meet the new security requirements. In May 2015 CityPay announced support of the Payment Card Industry Security Standards Council (PCI SSC) bulletin on migrating from Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) on our gateway endpoints. Version 3.2 of the PCI Data Security Standard (DSS) was released in April 2016 and now requires all endpoints stop the use of SSL and early versions of TLS.

To ensure CityPay meets its compliance commitments for PCI, CityPay is requiring that all merchant integrations meet the following requirements by the specified date: Effective 28 January 2018, CityPay will disable the use of TLS version 1.0, 1.1 and require that secure connections to all CityPay production gateway use TLS version 1.2 encryption.

Upgrade Help

We currently have around 0.5% of traffic still using TLSv1.1 with the remainder using TLSv1.2, impact for each merchant may be non existent. 

To aid with the removal process, we have outlined some key points to consider. Wikipedia also has a useful page for comparison of implementations and is available from https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations.

What happens if my client does not support TSv1.2?

Should your client not support TLSv1.2 you will begin to get protocol, handshake or connection errors when talking to our service. You will need to upgrade your vendor software to the latest versions.

How do I check that my service works with TLSv.1.2?

The CityPay service at tls-migration-testing.citypay.com has been configured to use TLSv1.2 only. You can test your payments service by pointing the payment URL from secure.citypay.com to tls-migration-testing.citypay.com. i.e. https://secure.citypay.com/ecom/api to https://tls-migration-testing.citypay.com/ecom/api The endpoint is capable of conducting the full payment stack however the certificate is only valid for 3 months where it will be retired. Once you have successfully testing, please move the service back.

Which browsers may be affected by processing?

Most modern browsers since 2014 have used TLSv1.2 however older legacy systems may not support it.

The following table is a simplistic guide.

Chrome v30+
Firefox v27+
Internet Explorer 11+ 8,9,10 is disabled by default
Safari 7+

To check whether your browser is TLSv1.2 capable, visit https://www.ssllabs.com/ssltest/viewMyClient.html 

What CityPay Services are Affected?

All Gateway HTTP endpoints will be changed, including

  • Paylink
  • Citypay API/PayPOST
  • PayPos
  • Merchant Control Panel
  • Bill Payment Services

I am using the Merchant Control Panel Virtual Terminal, how will the change affect me?

If you are using the virtual terminal, ensure you are using the latest patched browser for your operating system. Most modern browsers such as Chrome, Safari, Firefox and Microsoft Edge will all automatically update and be the latest version. To confirm your browser, go to https://www.ssllabs.com/ssltest/viewMyClient.html and check that your browser has TLS 1.2 support.

For corporate networks, ensure you are using the latest browsers and that TLS 1.2 is enabled in active directory.

I am using PayPOST/CityPay API, how will the change affect me?

Your connection into our gateway will use an operating system or software component to perform the TLS handshake. For instance Java SE, cURL, OpenSSL, MS SChannel or similar. If you are using Windows, you will need to ensure that you are using SChannel 8.1 or above which is included with Windows 2012R2 and above. Windows 2008 does support TLS 1.2 however requires additional installations, see https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/ for details. Windows 2003 is not known to provide support.

To test your connection, we recommend performing a test transaction by pointing your service to https://tls-migration-testing.citypay.com. The host has been set up to use the live and test service while restricting the protocol to TLSv1.2. The service is temporary for 3 months and will be removed on 23 February 2018.

I am using Paylink version 2, how will the change affect me?

Paylink 2 requires the end user's browser performs the interaction and will require a TLSv1.2 capable browser. We recommend that your website restricts to TLSv1.2 in line with industry security practice.

Should a user with an old browser attempt to connect to our service, they will receive a protocol or connection error in their browser. They are recommended to upgrade their browser to the latest version.

I am using Paylink version 3, how will the change affect me?

Your connection into our gateway will use an operating system or software component to perform the TLS handshake to create the Paylink token. Your server will use components such as Java SE, cURL, OpenSSL, MS SChannel or similar. If you are using Windows, you will need to ensure that you are using SChannel 8.1 or above which is included with Windows 2012R2 and above. Windows 2008 does support TLS 1.2 however requires additional installations, see https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/ for details. Windows 2003 is not known to provide support.

To test your connection, we recommend performing a test transaction by pointing your service to https://tls-migration-testing.citypay.com. The host has been set up to use the live and test service while restricting the protocol to TLSv1.2. The service is temporary for 3 months and will be removed on 23 February 2018.

Paylink 3 also requires the end user's browser performs the interaction and will require a TLSv1.2 capable browser. We recommend that your website restricts to TLSv1.2 in line with industry security practice.

Should a user with an old browser attempt to connect to our service, they will receive a protocol or connection error in their browser. They are recommended to upgrade their browser to the latest version.

Which products are known not to work?

The following products will be deemed as end of life for connecting to CityPay's gateway services and upgrades will need to be ensured by the cut over date.

Android 2.3.7   No SNI 2 Protocol mismatch (not simulated)
Android 4.0.4 Protocol mismatch (not simulated)
Android 4.1.1 Protocol mismatch (not simulated)
Android 4.2.2 Protocol mismatch (not simulated)
Android 4.3 Protocol mismatch (not simulated)
Baidu Jan 2015 Protocol mismatch (not simulated)
IE 6 / XP   No FS 1   No SNI 2 Protocol mismatch (not simulated)
IE 7 / Vista Protocol mismatch (not simulated)
IE 8 / XP   No FS 1   No SNI 2 Protocol mismatch (not simulated)
IE 8-10 / Win 7  R Protocol mismatch (not simulated)
IE 10 / Win Phone 8.0 Protocol mismatch (not simulated)
Java 6u45   No SNI 2 Protocol mismatch (not simulated)
Java 7u25 Protocol mismatch (not simulated)
OpenSSL 0.9.8y Protocol mismatch (not simulated)
Safari 5.1.9 / OS X 10.6.8 Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4  R Protocol mismatch (not simulated)

Which products are known to work with the changes?

The following products are expected to have no impact

Android 4.4.2 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Android 5.0.0 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 6.0 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
BingPreview Jan 2015 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Chrome 49 / XP SP3 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 57 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Firefox 53 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Googlebot Feb 2015 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
IE 11 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 8.1  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win Phone 8.1  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 13 / Win 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 13 / Win Phone 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Java 8u31 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.1l  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.0.2e  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 9 / iOS 9  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 10 / iOS 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Apple ATS 9 / iOS 9  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Yahoo Slurp Jan 2015 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
YandexBot Jan 2015 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
+44 (0)1534 884000