Reply
Member
Member
Posts: 2
Registered: ‎09-04-2009
Accepted Solution

Important TLS Disablement Notice

Hi,

 

I received an email about "Important TLS Disablement Notice" and wanted to double check who this affect.

 

This is something that only affects customer that are connecting to Authoize.net from theirs servers using for example the Advanced Integration Method method.

 

But for example in Direct Post Method the payment information goes directly from customer PC to Authorize.Net servers.

And so if we are connecting using the Direct Post Method where the payment doesn’t go through the merchants server then this would not affect us.  Is that correct?

 

If that is correct what about relay response page. Is there any scenario where this could affect that.

 

 

Thanks


Accepted Solutions
Solution
Accepted by topic author kk
‎05-08-2017 11:56 AM
Member
Member
Posts: 2
Registered: ‎09-04-2009

Re: Important TLS Disablement Notice

Thanks I guess I'll have to let our vendor know to test this.

But I would love an explanation of this. Specially since this will cost money to test by our vendor.

Seems like in DPM method the connecton is between the user who might be in china and authorize.net.
As long as the guy in china has TLS 1.2 enabled in their browser it should work.

I don't get it. What would I be testing?

The connection doesn't come to our server.

 

View solution in original post


All Replies
Posts: 2,765
Topics: 57
Kudos: 269
Blog Posts: 67
Registered: ‎12-05-2011

Re: Important TLS Disablement Notice

[ Edited ]

Hello @kk

 

The change affects endpoints and API Method including AIM and CIM using NVP, XML or JSON.  The developer sandbox is ready for testing and only support a TLS 1.2 connection only.

 

https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/TLS-1-1-and-1-0-Disabl...

 

Richard

Solution
Accepted by topic author kk
‎05-08-2017 11:56 AM
Member
Member
Posts: 2
Registered: ‎09-04-2009

Re: Important TLS Disablement Notice

Thanks I guess I'll have to let our vendor know to test this.

But I would love an explanation of this. Specially since this will cost money to test by our vendor.

Seems like in DPM method the connecton is between the user who might be in china and authorize.net.
As long as the guy in china has TLS 1.2 enabled in their browser it should work.

I don't get it. What would I be testing?

The connection doesn't come to our server.

 

Posts: 492
Topics: 0
Kudos: 99
Blog Posts: 0
Ideas: 0
Solutions: 42
Registered: ‎04-28-2017

Re: Important TLS Disablement Notice

[ Edited ]

When using Direct Post Method (DPM), your server generates the form where your customers enter thier credit card information which must be an HTTPS page secured with TLS 1.2 in order to be PCI compliant. If it's not, an attacker could modify the page as it is sent to the user and change the form submission location or insert JavaScript which steals the customer's information as it is typed.

 

By the way, with the release of Accept.js, the DPM is considered to be deprecated - now obsolete and in the process of being phased out.

Powered by NexWebSites.com -
Certified Authorize.net developers
Member
Posts: 1
Registered: ‎05-24-2017

Re: Important TLS Disablement Notice

Thank you for your replies.  

 

Should a website be tested using DPM now in an effort to determine TLS 1.2 compatibility?  Or is DPM compliant?   I understand it is deprecated although the transition to accept.js could happen after the deadline, correct? (if it is TLS 1.2 compliant)   What I am truly asking, is DPM compatible with TLS 1.2?