United Kingdom | Change Country

2016 Security Changes Notice

Picture3

      

In August 2016, Verifone communicated dates on the forthcoming security updates to card-not-present solutions. 

The first activity was completed on 4th October 2016 and security certificates updated from SHA-1 to SHA-2.  SSL v3 was also withdrawn from our hosted Payment Page solutions.

The next activity takes place on 27th June 2017.
SSLv3 and TLS 1.0 will be retired on all inbound and outbound connections for Verifone’s card-not-present solutions.

Please review the details below and ensure your systems are ready prior to 27th June 2017.

Certificate Upgrade

On 4th October 2016, Verifone upgraded the security certificate used to secure our card-not-present solutions, to SHA-2. This replaced the previous SHA-1 certificate which was due to expire.
Going forward, merchants will need to support SHA-2 for all card-not-present solutions.

You can test the readiness of your system by following the instructions on the Testing Your Solution page. See tab 2 above.

Some merchants may need to manually import a trust certificate into their solution. You can download the certificates from our FAQ page. See tab 3 above.

SSL v3 and TLS 1.0 Retirement - Hosted Payment Page and Vanguard

For solutions where cardholders connect and submit card data directly to Verifone, support for SSLv3 and TLS 1.0 will be withdrawn from all card-not present solutions on 27th June 2017.
This applies to both inbound and outbound connections.[JM1] 

TLS 1.1 and 1.2 are already available on these solutions and major web browser vendors, such as Microsoft, Google and Apple, have announced that support for SSL v3 and TLS 1.0 is being withdrawn from their web browsers from 31st December 2016.

You may need to prompt your cardholders to ensure they have an up-to-date web browser.
Links to some external sources detailing web browser and operating system support for TLS 1.1/1.2 and SHA-2 can be found on our FAQ page. See tab 3, above.

SSL v3 and TLS 1.0 Retirement - Ocius XML and Web Services

On 27th June 2017, support for SSLv3 and TLS 1.0 will be withdrawn from all card-not present solutions. This applies to both inbound and outbound connections. 

Merchants who make a server-to-server connection to Verifone must amend their systems to use the replacement URLs, below, by 27th June 2017.  

  Service name / version  

 Existing URLs
  (withdrawn 27th June 2017)  

Replacement URLs
  (available from 16th Sept 2016)  

Ocius XML versions  2, 3 XML.CXMLPG.COM GATEWAY.CXMLPG.COM
Ocius XML versions 4 TXN.CXMLPG.COM PAYMENT.CXMLPG.COM

You can test the readiness of your system by following the instructions on the Testing Your Solution page. See tab 2 above.

Why Are We Making These Changes?

These updates are part of a PCI DSS and industry-wide initiative to improve security standards, protect merchants and customer card data from known vulnerabilities.

Verifone are committed to ensuring the safety and security of cardholder data, and PCI DSS no longer permits SSL v3 and TLS 1.0 for new implementations.

Which Services Are Affected?

The following Verifone services are affected by this security update:

• Ocius XML version 2, 3 and 4

• Ocius Vanguard / Web Service Sessions

• Ocius Payment Page version 1 and 2

The security certificate, connection protocols, and applicable dates for each service are listed below:

Certificate Connection Protocol

 Ocius Web Service name / version 
 SHA-1   SHA-2   SSL v3   TLS 1.0   TLS 1.1   TLS 1.2 
x x x  Ocius XML versions  2, 3, 4 (old URLs)
x x x  Ocius XML versions  2, 3, 4 (new URLs)
x x x


 Ocius Vanguard / Web Service Sessions

x x x  Ocius Payment Page version 1
x x x  Ocius Payment Page version 2

From 27th June 2017

Certificate Connection Protocol

 Ocius Web Service name / version 
 SHA-1   SHA-2   SSL v3   TLS 1.0   TLS 1.1   TLS 1.2 
x x x x x x  Ocius XML versions  2, 3, 4 (old URLs)
x x x  Ocius XML versions  2, 3, 4 (new URLs)
x x x


 Ocius Vanguard / Web Service Sessions

x x x  Ocius Payment Page version 1
x x x  Ocius Payment Page version 2

Please test the readiness of your solution by making a connection to our Test service using the following URLs. Do not send live card details to the Test service. Update your solution to use one of the below URLs, appropriate to the service you use.

Test Environment

Table1

Example:

Clients currently using https://xml-test.cxmlpg.com/Gateway/Gateway.asmx would change to… https://xml-cst.cxmlpg.com/Gateway/Gateway.asmx

It is not necessary to complete a full test transaction; but if you would like to and do not already have a Verifone Test Account, you can use the following credentials.

System ID: 1000001381
GUID: 916CEE43-AE7F-4774-B4A2-DC98387034C7

Table2

When do I need to act?

We recommend you act as soon as possible to test your system’s readiness and complete any upgrades where required. You can make your upgrades at any time – but must have these in place by the dates we have communicated.

What is SHA-1 and why has it changed to SHA-256?

SHA is a Secure Hashing Algorithm used to safeguard the security certificates used when two computer systems talk to each other. SHA-1 is no longer considered secure and all replacement certificates must now be SHA-2. Microsoft and many popular web browser vendors announced that their products will not support SHA-1 certificates after 1st January 2017.

Why update the certificate on 4th October 2016?

Verifone’s previous certificates expire in December 2016. The October date was chosen to avoid the risk associated with merchants making changes to their systems during the busy seasonal trading period.

Why are SSL v3 and TLS 1.0 being retired?

SSL and early TLS no longer meet minimum security standards due to vulnerabilities in these protocols for which there are no fixes. Verifone are committed to ensuring the safety and security of cardholder data, and PCI DSS no longer permits SSL v3 and TLS 1.0 for new implementations.

Does Verifone already support TLS 1.1 and TLS 1.2?

Yes, Verifone’s managed service gateway supports both TLS 1.1 and 1.2. You can implement support for TLS 1.1 and 1.2 immediately.
Where clients can support TLS v1.1 and 1.2, Verifone recommends disabling SSL v3 and TLS 1.0 where it is possible to do so, to reduce the risk of downgrade attacks.

Where can I find the new SHA-2 certificates?

Many systems will automatically import the new trust certificates - however some systems may require certificates to be manually imported.

Please engage your technical team or 3rd party partner to establish whether you need to manually import certificates.

Verifone’s certificates are issued by Trustwave. If required, you can download the Trustwave Root Certificates here.
You will need the certificate titled “Trustwave Organization Validation SHA256 CA

Should you need to import Verifone’s Intermediate Certificate, please contact us using form to the right.

I have developed a smartphone app that uses Verifone’s payment service – will this be affected?

Yes – any system or application that connects to our Web Service gateway will be affected. Many smartphones already support SHA-2 and TLS 1.1 / 1.2. Please check the URL that your solution uses today and test against the new URLs on our Test platform.

How will I know if a cardholder browser is compliant?

There are number of external resources detailing the various web-browser and operating system combinations that support SHA-2 and TLS 1.1 / 1.2

What if my system is not ready by the 4th October?

Unfortunately we cannot change this date – please act now to ensure your service is not affected on 4th October 2016

Are my Chip&Pin terminals affected by this change?

No, Chip & Pin terminals are not affected by this change.

The PCI Council now permit use of SSL and Early TLS until 2018?

Whilst this may be true, the PCI Council also states that ‘Entities using SSL and early TLS must work towards upgrading to a strong cryptographic protocol as soon as possible.’
Entities using SSL and early TLS must also have a Risk Mitigation and Migration Plan in place.

Verifone are committed to ensuring the safety and security of cardholder data, and PCI DSS no longer permits SSL v3 and TLS 1.0 for new implementations.

I’m having problems with your new test platform – where can I get assistance?

Should you need any assistance, please contact us using form to the right.

FURTHER HELP


Our FAQs tab (to the left) is designed to help you effectively with your queries.

If you have further queries, Contact Us