The Authorize.Net Developer Blog

Posts from Authorize.Net employees, community members and experts about integrating with the Authorize.Net Payment Gateway: sample code, tutorials, and problem-solving techniques, just to name a few.

Authorize.Net begins TLS 1.0 Remediation for PCI DSS compliance

by Administrator Administrator ‎07-07-2015 01:20 PM - edited ‎04-19-2017 11:12 AM (146,802 Views)

Update, 4-19-2016;  please refer to this blog post for latest details.

 

Update, 4-26-2016: We have an update to our TLS plans. Please read this announcement for details.

 

Update, 12-16-2015: We are still finalizing our plans for remediating TLS 1.0 in both Sandbox and Production. In addition, we are discussing the possibility of disabling TLS 1.1 at the same time. While TLS 1.1 is not strictly forbidden by PCI DSS 3.1, there are enough security concerns that we may disable TLS 1.1 as well as TLS 1.0.

Regardless, we strongly urge all merchants and developer partners to use the strongest available protocols for their API integrations. As of this writing, that would be TLS 1.2.

 

Update, 7-27-2015: The disabling of TLS 1.0 in Sandbox is delayed until further notice. We will make an update here once we have a new date for this change.

 

On July 27, 2015, Authorize.Net will disable TLS 1.0 in our Sandbox environment. This will provide developers an environment to test their integrations and confirm they are ready for the new PCI DSS requirements.

 

After July 27, 2015, any solution that does not support TLS 1.1 or TLS 1.2 will see API connection failures in our Sandbox environment. While the fundamental cause will be due to TLS negotiation, your solution may interpret these as Internet connection failures, general errors, or declines. Please check with your solution provider for troubleshooting suggestions that help resolve connectivity issues.

 

Authorize.Net will be disabling TLS 1.0 in Production at a later time to be determined, ahead of the June 30, 2016 deadline set by PCI DSS.

 

The following operating systems, components, and frameworks are known to support TLS 1.1 and 1.2:

 

Windows Server:

Version 2008 R2 and later. (Source)

.NET:

Version 4.5 and later. Requires Windows Server 2008 R2 SP1. (Source 1, Source 2)

OpenSSL:

Version 1.0.1 and later. (Source)

cURL:

Version 7.34.0 and later. (Source)

PHP:

Version 5.6 and later. Requires OpenSSL 1.0.1 and later. (Source)

Java:

JRE 1.7 / JDK 7 and later. (Source)

ColdFusion:

Version 10 with JRE 1.8; Version 11 with JRE 1.7 or greater. (Source)

Perl:

Depends on implementation. Net::SSLeay requires OpenSSL 1.0.1 and later. (Source)

Nginx:

Version 0.7.65/0.8.19 and later. Requires OpenSSL 1.0.1 and later. (Source 1, Source 2)

MacOS:

Version 10.9 AKA Mavericks. (Source)

iOS:

Version 5 and later. (Source)

Android OS:

Version 4.2 and later. Requires OpenSSL 1.0.1 and later (bundled by default). (Source)

 

We will add to this list as needed.

 

Notes:

 

  1. Windows Server 2008 R2 does NOT enable TLS 1.1/1.2 by default. Please consult https://technet.microsoft.com/en-us/library/dn786418.aspx for details on how to enable TLS 1.1/1.2.
  2. Many of the above technologies depend on OpenSSL. To ensure TLS 1.1/1.2 works, you will need to upgrade both OpenSSL and the technology it depends upon.