cancel
Showing results for 
Search instead for 
Did you mean: 

Important TLS Disablement Notice

Hi,

 

I received an email about "Important TLS Disablement Notice" and wanted to double check who this affect.

 

This is something that only affects customer that are connecting to Authoize.net from theirs servers using for example the Advanced Integration Method method.

 

But for example in Direct Post Method the payment information goes directly from customer PC to Authorize.Net servers.

And so if we are connecting using the Direct Post Method where the payment doesn’t go through the merchants server then this would not affect us.  Is that correct?

 

If that is correct what about relay response page. Is there any scenario where this could affect that.

 

 

Thanks

kk
Member
Member
1 ACCEPTED SOLUTION

Accepted Solutions

Thanks I guess I'll have to let our vendor know to test this.

But I would love an explanation of this. Specially since this will cost money to test by our vendor.

Seems like in DPM method the connecton is between the user who might be in china and authorize.net.
As long as the guy in china has TLS 1.2 enabled in their browser it should work.

I don't get it. What would I be testing?

The connection doesn't come to our server.

 

View solution in original post

4 REPLIES 4

Hello @kk

 

The change affects endpoints and API Method including AIM and CIM using NVP, XML or JSON.  The developer sandbox is ready for testing and only support a TLS 1.2 connection only.

 

https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/TLS-1-1-and-1-0-Disabl...

 

Richard

RichardH
Administrator Administrator
Administrator

Thanks I guess I'll have to let our vendor know to test this.

But I would love an explanation of this. Specially since this will cost money to test by our vendor.

Seems like in DPM method the connecton is between the user who might be in china and authorize.net.
As long as the guy in china has TLS 1.2 enabled in their browser it should work.

I don't get it. What would I be testing?

The connection doesn't come to our server.

 

When using Direct Post Method (DPM), your server generates the form where your customers enter thier credit card information which must be an HTTPS page secured with TLS 1.2 in order to be PCI compliant. If it's not, an attacker could modify the page as it is sent to the user and change the form submission location or insert JavaScript which steals the customer's information as it is typed.

 

By the way, with the release of Accept.js, the DPM is considered to be deprecated - now obsolete and in the process of being phased out.

Powered by NexWebSites.com -
Certified Authorize.net developers
NexusSoftware
Trusted Contributor

Thank you for your replies.  

 

Should a website be tested using DPM now in an effort to determine TLS 1.2 compatibility?  Or is DPM compliant?   I understand it is deprecated although the transition to accept.js could happen after the deadline, correct? (if it is TLS 1.2 compliant)   What I am truly asking, is DPM compatible with TLS 1.2?