The Authorize.Net Developer Blog

Posts from Authorize.Net employees, community members and experts about integrating with the Authorize.Net Payment Gateway: sample code, tutorials, and problem-solving techniques, just to name a few.

Authorize.Net begins TLS 1.0 Remediation for PCI DSS compliance

by Administrator Administrator ‎07-07-2015 01:20 PM - edited ‎04-19-2017 11:12 AM (144,836 Views)

Update, 4-19-2016;  please refer to this blog post for latest details.

 

Update, 4-26-2016: We have an update to our TLS plans. Please read this announcement for details.

 

Update, 12-16-2015: We are still finalizing our plans for remediating TLS 1.0 in both Sandbox and Production. In addition, we are discussing the possibility of disabling TLS 1.1 at the same time. While TLS 1.1 is not strictly forbidden by PCI DSS 3.1, there are enough security concerns that we may disable TLS 1.1 as well as TLS 1.0.

Regardless, we strongly urge all merchants and developer partners to use the strongest available protocols for their API integrations. As of this writing, that would be TLS 1.2.

 

Update, 7-27-2015: The disabling of TLS 1.0 in Sandbox is delayed until further notice. We will make an update here once we have a new date for this change.

 

On July 27, 2015, Authorize.Net will disable TLS 1.0 in our Sandbox environment. This will provide developers an environment to test their integrations and confirm they are ready for the new PCI DSS requirements.

 

After July 27, 2015, any solution that does not support TLS 1.1 or TLS 1.2 will see API connection failures in our Sandbox environment. While the fundamental cause will be due to TLS negotiation, your solution may interpret these as Internet connection failures, general errors, or declines. Please check with your solution provider for troubleshooting suggestions that help resolve connectivity issues.

 

Authorize.Net will be disabling TLS 1.0 in Production at a later time to be determined, ahead of the June 30, 2016 deadline set by PCI DSS.

 

The following operating systems, components, and frameworks are known to support TLS 1.1 and 1.2:

 

Windows Server:

Version 2008 R2 and later. (Source)

.NET:

Version 4.5 and later. Requires Windows Server 2008 R2 SP1. (Source 1, Source 2)

OpenSSL:

Version 1.0.1 and later. (Source)

cURL:

Version 7.34.0 and later. (Source)

PHP:

Version 5.6 and later. Requires OpenSSL 1.0.1 and later. (Source)

Java:

JRE 1.7 / JDK 7 and later. (Source)

ColdFusion:

Version 10 with JRE 1.8; Version 11 with JRE 1.7 or greater. (Source)

Perl:

Depends on implementation. Net::SSLeay requires OpenSSL 1.0.1 and later. (Source)

Nginx:

Version 0.7.65/0.8.19 and later. Requires OpenSSL 1.0.1 and later. (Source 1, Source 2)

MacOS:

Version 10.9 AKA Mavericks. (Source)

iOS:

Version 5 and later. (Source)

Android OS:

Version 4.2 and later. Requires OpenSSL 1.0.1 and later (bundled by default). (Source)

 

We will add to this list as needed.

 

Notes:

 

  1. Windows Server 2008 R2 does NOT enable TLS 1.1/1.2 by default. Please consult https://technet.microsoft.com/en-us/library/dn786418.aspx for details on how to enable TLS 1.1/1.2.
  2. Many of the above technologies depend on OpenSSL. To ensure TLS 1.1/1.2 works, you will need to upgrade both OpenSSL and the technology it depends upon.

Comments
by klassic
on ‎08-27-2015 12:08 PM

We process through Authorize net using JBoss Application Server in a Windows environment.  Does this mean that all servers need to be at least 2008 R2 with TLS 1.1/1.2 enabled and updated to at least a JDK 7?

by robearth_auth
on ‎11-24-2015 05:14 AM

Hi - I would just like to clarify the requirement. It says that our servers should support TLS 1.1 "OR" TLS 1.2.

So we only enabled TLS 1.1 since TLS 1.2 is not compatible with our OS. Is this sufficient?

Also - We did not disable TLS 1.0. Will this be okay?

 

Pardon the question - newbie here. :-)

by hammond13
on ‎12-09-2015 08:32 AM

Are there any updates on the dates for this? And does this affect ics2wstest.ic3.com, or is there some other place to see the status for the Cybersource SOAP API?

by darbvin
on ‎01-06-2016 11:32 AM

Is there an update on this topic in light of the new PCI deadline of 2018?  

by jackie-ag
on ‎02-17-2016 11:30 AM

We received an email from your team yesterday in which it mentions "

Over the next few months, we are making several updates to our systems" 

 

Is there an updated timeline? 

by sysadmin
on ‎02-23-2016 03:14 AM

Hi We are using Auth.Net for following types :- AUTH_CAPTURE,AUTH_ONLY,PRIOR_AUTH_CAPTURE,CREDIT,VOID. I got to know that as per new version of Auth.NET we need to pass some additional parameter.

 

Where can I get guide/document of latest release ?

by webclinicpro
on ‎03-30-2016 06:35 PM

We recently had a number of website security clients contacting us about the "Technical Updates".  In order to assist our customer we developed a website scanner that tests for the RC4 cipher and TLS 1.0.  If RC4 is found in any protocol, then an error is shown.  If TLS 1.0 is found a warning is displayed.  The link is https://www.webclinicpro.com/website-security-scanner-authorizenet.  Please feel free to use it and let me know if you have any suggestions.