To increase security for transaction processing, CityPay is requiring TLS version 1.2 to connect. Clients may need to make changes to their payment infrastructure to meet the new security requirements. In May 2015 CityPay announced support of the Payment Card Industry Security Standards Council (PCI SSC) bulletin on migrating from Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) on our gateway endpoints. Version 3.2 of the PCI Data Security Standard (DSS) was released in April 2016 and now requires all endpoints stop the use of SSL and early versions of TLS.
To ensure CityPay meets its compliance commitments for PCI, CityPay is requiring that all merchant integrations meet the following requirements by the specified date: Effective 28 January 2018, CityPay will disable the use of TLS version 1.0, 1.1 and require that secure connections to all CityPay production gateway use TLS version 1.2 encryption.
Upgrade Help
We currently have around 0.5% of traffic still using TLSv1.1 with the remainder using TLSv1.2, impact for each merchant may be non existent.
To aid with the removal process, we have outlined some key points to consider. Wikipedia also has a useful page for comparison of implementations and is available from https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations.
What happens if my client does not support TSv1.2? |
Should your client not support TLSv1.2 you will begin to get protocol, handshake or connection errors when talking to our service. You will need to upgrade your vendor software to the latest versions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
How do I check that my service works with TLSv.1.2? |
The CityPay service at tls-migration-testing.citypay.com has been configured to use TLSv1.2 only. You can test your payments service by pointing the payment URL from secure.citypay.com to tls-migration-testing.citypay.com. i.e. https://secure.citypay.com/ecom/api to https://tls-migration-testing.citypay.com/ecom/api The endpoint is capable of conducting the full payment stack however the certificate is only valid for 3 months where it will be retired. Once you have successfully testing, please move the service back. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Which browsers may be affected by processing? |
Most modern browsers since 2014 have used TLSv1.2 however older legacy systems may not support it. The following table is a simplistic guide.
To check whether your browser is TLSv1.2 capable, visit https://www.ssllabs.com/ssltest/viewMyClient.html | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
What CityPay Services are Affected? |
All Gateway HTTP endpoints will be changed, including
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I am using the Merchant Control Panel Virtual Terminal, how will the change affect me? |
If you are using the virtual terminal, ensure you are using the latest patched browser for your operating system. Most modern browsers such as Chrome, Safari, Firefox and Microsoft Edge will all automatically update and be the latest version. To confirm your browser, go to https://www.ssllabs.com/ssltest/viewMyClient.html and check that your browser has TLS 1.2 support. For corporate networks, ensure you are using the latest browsers and that TLS 1.2 is enabled in active directory. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| I am using PayPOST/CityPay API, how will the change affect me? | Your connection into our gateway will use an operating system or software component to perform the TLS handshake. For instance Java SE, cURL, OpenSSL, MS SChannel or similar. If you are using Windows, you will need to ensure that you are using SChannel 8.1 or above which is included with Windows 2012R2 and above. Windows 2008 does support TLS 1.2 however requires additional installations, see https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/ for details. Windows 2003 is not known to provide support. To test your connection, we recommend performing a test transaction by pointing your service to https://tls-migration-testing.citypay.com. The host has been set up to use the live and test service while restricting the protocol to TLSv1.2. The service is temporary for 3 months and will be removed on 23 February 2018. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| I am using Paylink version 2, how will the change affect me? | Paylink 2 requires the end user's browser performs the interaction and will require a TLSv1.2 capable browser. We recommend that your website restricts to TLSv1.2 in line with industry security practice. Should a user with an old browser attempt to connect to our service, they will receive a protocol or connection error in their browser. They are recommended to upgrade their browser to the latest version. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| I am using Paylink version 3, how will the change affect me? | Your connection into our gateway will use an operating system or software component to perform the TLS handshake to create the Paylink token. Your server will use components such as Java SE, cURL, OpenSSL, MS SChannel or similar. If you are using Windows, you will need to ensure that you are using SChannel 8.1 or above which is included with Windows 2012R2 and above. Windows 2008 does support TLS 1.2 however requires additional installations, see https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/ for details. Windows 2003 is not known to provide support. To test your connection, we recommend performing a test transaction by pointing your service to https://tls-migration-testing.citypay.com. The host has been set up to use the live and test service while restricting the protocol to TLSv1.2. The service is temporary for 3 months and will be removed on 23 February 2018. Paylink 3 also requires the end user's browser performs the interaction and will require a TLSv1.2 capable browser. We recommend that your website restricts to TLSv1.2 in line with industry security practice. Should a user with an old browser attempt to connect to our service, they will receive a protocol or connection error in their browser. They are recommended to upgrade their browser to the latest version. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Which products are known not to work? |
The following products will be deemed as end of life for connecting to CityPay's gateway services and upgrades will need to be ensured by the cut over date.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Which products are known to work with the changes? |
The following products are expected to have no impact
|