United Kingdom | Change Country

2016 Security Changes Notice

Picture3

      

Following the successful update of Verifone’s security certificates to SHA-2 in October last year, Verifone’s next security update takes place in June 2017.

Decommission legacy protocols and connections

On 27th June 2017, support for SSL v3 and TLS 1.0 will be withdrawn and legacy connection routes decommissioned.

TLS 1.1 and 1.2 will be the only supported connection protocol from this date. This applies to both inbound and outbound connections on all card-not-present solutions.

Does this affect me?

These changes impact all web-based services. Examples include payments made: on a website, on a mobile phone application, or via call-centre systems.

Chip & Pin terminals are NOT impacted. Please check if you use one of the solutions below.

XML and Web Services

Merchants who make a direct server-to-server connection to Verifone must amend their systems to use the replacement URLs, below, by 27th June 2017. The new URLs support TLS 1.1 and 1.2 only.  

  Service name / version  

 URLs being decommissioned on 27th June 2017
 

Replacement URLs
  (available from 16th Sept 2016)  

Ocius XML versions 2, 3 XML.CXMLPG.COM GATEWAY.CXMLPG.COM
Ocius XML versions 4 TXN.CXMLPG.COM PAYMENT.CXMLPG.COM

You can test the readiness of your system by following the instructions on the Testing Your Solution page (see tab 2 above).

Hosted Payment Page and Vanguard

For solutions where cardholders connect and submit card data directly to Verifone, you will need to ensure card-holders are using a web browser that is able to support TLS 1.1 or 1.2

Service name / version

URL

Vanguard (also known as Web Service Sessions) VG-A.CXMLPG.COM
Payment Page version 1 (legacy) PAYPAGE.CXMLPG.COM
Payment Page version 2 PP2.CXMLPG.COM

A list of compatible web browsers can be found here: https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers Additional external sources detailing web browser and operating system support for TLS 1.1 or 1.2 and SHA-2 can be found on our FAQ page (see tab 3, above).

Why are we making these changes?

Verifone are committed to ensuring the safety and security of cardholder data. These updates are part of a PCI DSS and industry-wide initiative to improve security standards to protect merchants and customer card data from known vulnerabilities.

PCI Security Standards Council no longer permits SSL v3 or TLS 1.0 for new implementations, and software vendors including Microsoft, Google, and Apple have all announced that they are removing support for SSL v3 and TLS 1.0 from their web browsers.

Please test the readiness of your solution by making a connection to our Test service using the following URLs. Do not send live card details to the Test service. Update your solution to use one of the below URLs, appropriate to the service you use.

Test Environment

Table1

Example:

Clients currently using https://xml-test.cxmlpg.com/Gateway/Gateway.asmx would change to… https://xml-cst.cxmlpg.com/Gateway/Gateway.asmx

It is not necessary to complete a full test transaction; but if you would like to and do not already have a Verifone Test Account, you can use the following credentials.

System ID: 1000001381
GUID: 916CEE43-AE7F-4774-B4A2-DC98387034C7

Table2

When do I need to act?

We recommend you act as soon as possible to test your system’s readiness and complete any upgrades where required. You can make your upgrades at any time – but must have these in place before 27th June 2017.

Why are SSL v3 and TLS 1.0 being retired?

SSL v3 and TLS 1.0 no longer meet minimum security standards due to vulnerabilities in these protocols for which there are no fixes. Verifone are committed to ensuring the safety and security of cardholder data, and PCI DSS no longer permits SSL v3 and TLS 1.0 for new implementations.

Does Verifone already support TLS 1.1 and TLS 1.2?

Yes, Verifone already support TLS 1.1 and 1.2, please ensure you are using the correct URL for your service. Please check the URLs that your solution uses today and test against the new URLs on our Test platform.

I have developed a smartphone app that uses Verifone’s payment service – will this be affected?

Yes – any system or application that connects to our Web Service gateway will be affected. Many smartphones already support TLS 1.1 and 1.2. Please check the URL that your solution uses today and test against the new URLs on our Test platform.

How will I know if a cardholder browser is compliant?

What if my system is not ready by the 27th June 2017?

Unfortunately, we cannot change this date – please act now to ensure your service is not affected on 27th June 2017.

Connections attempting to use SSL v3 or TLS 1.0 will be refused from 27th June 2017.

Are my Chip&Pin terminals affected by this change?

No, Chip & Pin terminals are not affected by this change.

The PCI Council now permit use of SSL and Early TLS until 2018?

Whilst this may be true, the PCI Council also states that ‘Entities using SSL and early TLS must work towards upgrading to a strong cryptographic protocol as soon as possible.’
Entities using SSL and early TLS must also have a Risk Mitigation and Migration Plan in place.

Verifone are committed to ensuring the safety and security of cardholder data, and PCI DSS no longer permits SSL v3 and TLS 1.0 for new implementations.

I'm having trouble connecting to the Test system.

Please ensure your solution supports both SHA-2 certificate and TLS 1.1 or 1.2

I’m not sure what system I use – how can I check.

Should you need any assistance, please contact us using form to the right.

I’m not sure what changes I need to make.

Should you need any assistance, please contact us using form to the right.

FURTHER HELP


Our FAQs tab (to the left) is designed to help you effectively with your queries.

If you have further queries, Contact Us