Hello Team
Hope this email finds you well!

Looking for some clarification around the Cybersource Upcoming Mandates notification sent to merchants. We (paydock) are a Payment orchestration platform provider to merchants and looking for some clarification around below notification received from CyberSource.

Referring below notification received from CyberSource, Pls confirm below:

* Do merchants need to regenerate API keys if they are using their pts/v2/... and tms/v2/... API endpoints ?

Below Comms are  Received from cybersourse:

"Dear Valued Customer,

The security of our clients' information is top priority, and with this in mind we are enhancing our REST and Simple Order API security requirements.

Below is a listing of three security requirements which are mandated for completion starting January 22nd, 2024.

Please ensure your systems are up to date to comply with each requirement.

Failure to be ready for each of these changes could cause a service interruption for your business.

· REST API Digest Parentheses Removal (REST HTTP Signature) - Cybersource API calls using HTTP Signature authentication must adhere to industry standards and will no longer support the use of parentheses within the HTTP header. Production Implement by Date: January 22nd, 2024.

· Default Password p12 Keys (Simple Order API, REST JWT, Batch Upload, Account Updater Batch Upload) - All Cybersource issued P12 keys created after the implementation date will be secured with a password set by the user during key generation within the Cybersource Business Center. This password will not be stored within Cybersource systems and must be securely stored by the user to open the key file and/or for use with your API implementation. Production Implement by Date: February 28th, 2024

· SHA 256 Envelope p12 Keys (Simple Order API, REST JWT) - P12 keys will be generated with an enhanced HmacPBESHA-256 algorithm. This may cause older SDK's and/or Operating Systems to not be able to access the key. Production Implement by Date: February 28th, 2024.

For more information, please visit our Knowledge Base article with updated details and dates as we move closer.

Please do not hesitate to contact the Cybersource support team if you have any questions or concerns. Cybersource Support Center"

Await for your clarification. 

Thanks 

Is the updated version of the AuthenticationSdk in Maven version "0.0.28"?
 See pom.xml below
<!-- https://mvnrepository.com/artifact/com.cybersource/AuthenticationSdk -->
<dependency>
<groupId>com.cybersource</groupId>
<artifactId>AuthenticationSdk</artifactId>
<version>0.0.28</version>
</dependency>

Actually, in re-reading the knowledge base doc I see that it is referring to the cybersource-rest-client-java having updates not the AuthenticationSdk. So similar question to above.

Is the updated version of the cybersource-rest-client-java in Maven version "0.0.57"?
 See pom.xml below
<!-- https://mvnrepository.com/artifact/com.cybersource/cybersource-rest-client-java -->
<dependency>
<groupId>com.cybersource</groupId>
<artifactId>cybersource-rest-client-java</artifactId>
<version>0.0.57</version>
</dependency>

Hello Team, we are using Simple Order API Client similar to Using SOAP (cybersource.com) document, do we need to make any changes and also is it possible to test our integration in test environment prior?

Hello Team,

we are usind this java sdk:

<dependency>
 <groupId>com.cybersource</groupId>
 <artifactId>cybersource-sdk-java</artifactId>
 <version>6.2.13</version>
</dependency>

Do we need to upgrade it?

Thanks in advance

Michele

Cybersource has stated above, "Until Jan 22, 2024, the platform will accept both formats: with and without parenthesis,"  implying that after January 22, the old format will no longer be accepted *IN PRODUCTION*. 

On what date may we expect the old format to stop working in the *NON-PRODUCTION* testing environment?  Only at that point can we do a valid test to see if our changes are actually working.  If we find our changes do not work in the non-prod environment, we'll need some additional time to rework and retest them.

Surely you realize the importance of having the non-prod environment reflect the anticipated production environment *before* (preferably months before) you make the change to production. You seem to be avoiding this question, as it was asked above by both Navaneetha Battu and RandyK and was left unanswered in both cases. That is, unless I've misunderstood, and by "the platform" you mean both production and non-production testing environments

If you don't currently have an answer, when do you expect to have made a decision regarding the non-production testing environment? Is there something standing in the way of making such a decision? Or are you telling us that the non-production changes will be rolling out the same day as the production changes?

Hi,

Our integration is built on these two SDKs, do we need to upgrade anything? Thank you!

I agree with Billy.

Please provide a response to him.

@rajvpate Hello, we are using the CyberSource module 3.5.6 for Adobe Commerce Cloud 2.4.2.  It is configured to use the SOAP Toolkit API as our Payment API and Flex Microform as the Checkout Flow Type.  Does this requirement for January 22, 2024 affect us at all?  Thanks.

Sorry, in the above question, we are currently using CyberSource module 3.5.4 (not 3.5.6 ) for Adobe Commerce Cloud 2.4.2.  Will we be OK on January 22, 2024?

Hello, 

We are using  cybersource  Simple Order API- Decision Manager check SOAP service in our application. We got the email from Cybersource. Do we need to upgrade SOAP APIs also? Please confirm 

Hello Team,

about "SHA 256 Envelope p12 Keys (Simple Order API, REST JWT) - P12 keys will be generated with an enhanced HmacPBESHA-256 algorithm. This may cause older SDK's and/or Operating Systems to not be able to access the key. Production Implement by Date: February 28th, 2024."

Our JDK supports these chiper algoritms:

- PBEWithHmacSHA256AndAES_128
- PBEWithHmacSHA256AndAES_256

So does my environment support the new algorithm? I'm not sure about the end part AES_128/256 that is not specified here: HmacPBESHA-256.

Thanks in advance

Michele

@rajvpatestated: The non production & production environment both shall exhibit the same behavior. If the requests you send without parenthesis in the non-production environment behaves as expected, you should be good.

Imagine this: Our code contains 3 places where we call Cybersource. We fix two of those places, but mistakenly miss the 3rd.  Our code will continue to work in both PROD and NON-PROD until you make the change.  At that point, it will fail in both places and we will be left scrambling to push a fix into production in a rush.

We wish to avoid that.  Given the scenario above, please explain how we be sure things would work before you make the production cut-over. 

Hi,

We are using the below two dependencies,

<dependency>
<groupId>cybslib</groupId>
<artifactId>cybsclients</artifactId>
<version>1.5</version>
<scope>compile</scope>
</dependency>

<dependency>
<groupId>cybslib</groupId>
<artifactId>cybssecurity</artifactId>
<version>1.0</version>
<scope>compile</scope>
</dependency>

Do we need to do any changes on SDK upgrade or for p12 key change? Pls assist.

Hi.,

Is there any instruction set to check if Cybersource SDK is used?

If Simple Order APIs are only used,  then still do Cybersource SDK version upgrade needed?

Regards,

Arun Kamaraj

Hello,

My team received an email containing the following statement "Cybersource will no longer accept parentheses in p12 files to adhere to industry standards"

From my understanding the (request-target) vs. request-target change has no relation to the .p12 files, can you confirm? I want to make sure that as long as we are not using (request-target) in the signature of our REST api calls we shouldn't see any issues.

Thank you

Hello Team,

As stated earlier, any SDK version from the provided link and newer versions will include the fix: like cybersource-rest-client-php version 0.0.44

However, our application is built on PHP 7.4, and we are considering using the cybersource-rest-client-php version 0.0.40. Can you confirm if this version includes all the necessary fixes?

Hello,

Good day to you! 

Could you provide the latest production implementation date for the items below? Thank you.

1. REST API Digest Parentheses Removal (REST HTTP Signature) - Cybersource API calls using HTTP Signature authentication must adhere to industry standards and will no longer support the use of parentheses within the HTTP header. Latest Production Implement by Date: ____
   
   
2. Default Password p12 Keys (Simple Order API, REST JWT, Batch Upload, Account Updater Batch Upload) - All Cybersource issued P12 keys created after the implementation date will be secured with a password set by the user during key generation within the Cybersource Business Center. This password will not be stored within Cybersource systems and must be securely stored by the user to open the key file and/or for use with your API implementation. Latest Production Implement by Date: ____
   
   
3. SHA 256 Envelope p12 Keys (Simple Order API, REST JWT) - P12 keys will be generated with an enhanced HmacPBESHA-256 algorithm. This may cause older SDK's and/or Operating Systems to not be able to access the key. Latest Production Implement by Date: ____

I realise from the above comments that this seems to be falling on deaf ears, but I would also like to raise my concerns about the test environment. It makes perfect sense for production to run in this cut-over mode, where the headers both with and without brackets are accepted - it allows us to patch systems and implement on our own schedule. It does not however make sense for this to be the case for the test environment. IMHO that should already reflect the state that production will be in once the cut-over has expired, so that we can reliably test our code in advance and not have any unpleasant surprises on the day.

If I were a new implementer, I'd be following the current docs which don't have the brackets in the header, so I'd be fine. If I were testing an existing system and somehow wasn't aware a change was coming, or was part-way through an implementation, it'd be beneficial for my testing to fail immediately, leading to an investigation and hopefully a realisation that changes were afoot. Finally, as someone aware of the change and about to embark on their necessary changes (or indeed having recently completed them), I'd appreciate knowing not only when my changes were successful, but that I'd not inadvertently missed anything.

In summary as far as I can tell there is no value in having the public test environment accept the bracketed header, other than internal benefit for Barclaycard so that they can continue to evaluate pre-production changes, but I'd like to think they have an isolated non-public system for that anyway.

We received an email on Feb 14, 2024 that stated

As previously announced, Cybersource no longer supports REST API requests using HTTP signature authentication to parentheses in the Authentication Payload used by REST integrations to adhere to industry standards.  Cybersource began this change on November 1, 2023, but will continue to support signatures containing parentheses until Mar 22, 2024.

This articles mentions Apr 22, 2024.

Which is right?

hi Admin, does 22 April 2024 timeline apply to all 3 items in this enhancement? or only apply to item 1 (REST API Digest Parentheses Removal (REST HTTP Signature)?

Thank you.

Hi Admin @rajvpate ,

Based on latest update, do we still need to make any changes on the 3 items mentioned previously?

1. To remove REST API Digest Parentheses
2. To secure all Cybersource-issued P12 keys with a user-created password
3. To generate P12 keys with an enhanced HmacPBESHA-256 algorithm 

Thank you.