The Complete Spectrum of Payments
To test your browser, click here and view the Protocol Support:
https://www.ssllabs.com/ssltest/viewMyClient.html
We will be retiring the use of Transport Layer Security (TLS) 1.0 on July 31 , 2018 in accordance with the requirements of the PCI Security Standards Council (PCI SSC). In order to ensure proper access to all of our websites, and any API integrations with no interruptions, an update to web browsers and platforms supporting TLS 1.2 must be completed before the July 31 deadline.
Below you will find additional information relevant to the requirement change. Your action is required to facilitate this update before July 31.
Please note, this change may also affect consumers attempting to process online payments. If you receive reports of residents being unable to process a payment, Certified Payments recommends having those users test their browsers at https://www.ssllabs.com/ssltest/viewMyClient.html to ensure they are operating on an accepted TLS protocol.
Questions?
If you have further questions about this transition after reading the information below, please use the form at the bottom of the page to contact us .
Overview
- What is TLS?
- What is changing?
- Why is this changing?
- What actions need to be taken?
- Additional Resources
What is TLS?
Transport Layer Security (TLS) is the most widely deployed security protocol used today. There are currently three versions in use today: TLS 1.0, 1.1, 1.2. TLS 1.0 originated in 1999 as a replacement for SSL V3 and is now being depreciated globally.
Internet browser sessions, as well as API connections, utilize TLS to ensure data integrity and confidentiality.
What is changing?
Starting July 31, 2018, TLS 1.0 will be disabled across the organization. Any connection made over TLS 1.0 w will fail (Internet browser sessions and API integrations). 1.0 will need to be disabled in order to connect to us in any way.
Why is this changing?
TLS 1.0 is no longer considered a secure form of communication. The protocol is vulnerable to man-in-the-middle attacks which compromise the data integrity and confidentiality. Because of this, PCI standards mandate that TLS 1.0 can no longer be a form of compliant communication and must be depreciated. The PCI Council will officially depreciate TLS 1.0 on July 31, 2018.
In order to provide the maximum level of security for our partners and merchants, we will be abiding by these requirements and will begin enforcing them July 31, 2018.
What actions need to be taken?
The following actions need to be taken prior to July 31, 2018 in order to ensure that browsers and API’s do not have any interruptions in connectivity with our sites or systems.
- Ensure that Browsers have TLS 1.0 disabled and that you are using a compatible browser
- Ensure that any API’s used are built on a compatible platform
Below are two tables that list all compatible browsers, platforms, and libraries.
Internet Browsers
You need to ensure that your Internet browser is compatible with TLS 1.2. The following table displays the browsers that are compatible as well as instructions on how to disable/enable 1.0, 1.1, and 1.2:
|
Browser |
Compatibility Notes |
|
Microsoft Internet Explorer (IE) |
|
|
Desktop and Mobile IE version 11 |
Compatible with TLS 1.1 or higher by default If you see the "Stronger security is required" error message, you may need to turn off the TLS 1.0 setting in the Internet Options > Advanced Settings list. |
|
|
Compatible only when running Windows 7 or newer, but not by default. Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.1 or TLS 1.2. |
|
Desktop IE versions 7 and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Mobile IE versions 10 and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Microsoft Edge |
Compatible with TLS 1.1 or higher by default. |
|
Mozilla Firefox |
|
|
Firefox 27 and higher |
Compatible with TLS 1.1 or higher by default. |
|
Firefox 23 to 26 |
Compatible, but not by default. Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2. |
|
Firefox 22 and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Google Chrome |
|
|
Google Chrome 38 and higher |
Compatible with TLS 1.1 or higher by default. |
|
Google Chrome 22 to 37 |
Compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile). |
|
Google Chrome 21 and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Google Android OS Browser |
|
|
Android 5.0 (Lollipop) and higher |
Compatible with TLS 1.1 or higher by default. |
|
Android 4.4 (KitKat) to 4.4.4 |
May be compatible with TLS 1.1 or higher. Some devices with Android 4.4.x may not support TLS 1.1 or higher. |
|
Android 4.3 (Jelly Bean) and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Apple Safari |
|
|
Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher |
Compatible with TLS 1.1 or higher by default. |
|
Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Mobile Safari versions 5 and higher for iOS 5 and higher |
Compatible with TLS 1.1 or higher by default. |
|
Mobile Safari for iOS 4 and below |
Not compatible with TLS 1.1 or higher encryption. |
API Integrations
If you communicate with our systems via API, then you need to ensure that the platform or library that you are running is compatible with TLS 1.2. The following table displays all platforms and libraries that are compatible with higher versions of TLS, as well as instructions on disabling/enabling 1.0, 1.1, and 1.2:
|
Platform or Library |
Compatibility Notes |
|
Java (Oracle) |
|
|
Java 8 (1.8) and higher |
Compatible with TLS 1.1 or higher by default. |
|
Java 7 (1.7) |
Enable TLS 1.1 and TLS 1.2 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 and TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible. |
|
Java 6 (1.6) update 111 and higher |
Enable TLS 1.1 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. This Java 6 update and newer updates are not publicly available and require a support contract for Java 6 from Oracle. |
|
Java 6 (1.6) and below (publicly available version) |
Not compatible with TLS 1.1 or higher encryption. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible. |
|
Java (IBM) |
|
|
Java 8 |
Compatible with TLS 1.1 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS"). |
|
Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher |
Enable TLS 1.2 using the https.protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true. |
|
.NET |
|
|
.NET 4.6 and higher |
Compatible with TLS 1.1 or higher by default. |
|
.NET 4.5 to 4.5.2 |
.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below. Option 1: .NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example: System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls; Option 2: It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value. |
|
.NET 4.0 |
.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value. |
|
.NET 3.5 and below |
Not compatible with TLS 1.1 or higher encryption |
|
Python |
|
|
Python 2.7.9 and higher |
TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled. |
|
Ruby 1.9.3 and below |
Not compatible with TLS 1.1 or higher encryption |
|
Ruby |
|
|
Ruby 2.0.0 |
TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled. |
|
Ruby 1.9.3 and below |
The :TLSv1_2 symbol does not exist in 1.9.3 and below, but it is possible to patch Ruby to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher. |
|
Microsoft WinINet |
|
|
Windows Server 2012 R2 and higher Windows 8.1 and higher |
Compatible with TLS 1.1 or higher by default. |
|
Windows Server 2008 R2 to 2012 Windows 7 and 8 |
Compatible by default if Internet Explorer 11 is installed. If Internet Explorer 8, 9, or 10 is installed, then TLS 1.1 and TLS 1.2 will need to get enabled by the user or an administrator for compatibility. Review the Enabling TLS 1.1 and TLS 1.2 in Internet Explorer article toenable TLS 1.1 or higher encryption. |
|
Windows Server 2008 and below Windows Vista and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Microsoft Secure Channel (Schannel) |
|
|
Windows Server 2012 R2 and higher Windows 8.1 and higher |
Compatible with TLS 1.1 or higher by default. |
|
Windows Server 2012 Windows 8 |
TLS 1.1 and TLS 1.2 are disabled by default, but are available if enabled by an application. TLS 1.1 and TLS 1.2 can be enabled by default within the registry. Those registry settings are also available as a registry import file. |
|
Windows Server 2008 R2 Windows 7 |
Compatible by default in client mode when Internet Explorer 11 is installed. If Internet Explorer 11 is not installed or if Salesforce needs to connect to a service running on this type of system, then TLS 1.1 and TLS 1.2 can be enabled by default within the registry. Those registry settings are also available as a registry import file. |
|
Windows Server 2008 and below Windows Vista and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Microsoft WinHTTP and Webio |
|
|
Windows Server 2012 R2 and higher Windows 8.1 and higher |
Compatible with TLS 1.1 and TLS 1.2 by default |
|
Windows Server 2008 R2 SP1 and 2012 Windows 7 SP1 |
With KB3140245 applied, Webio is compatible by default, and WinHTTP can be configured via registry settings to enable TLS 1.1 and TLS 1.2. |
|
Windows Server 2008 and below Windows Vista and below |
Not compatible with TLS 1.1 or higher encryption |
|
OpenSSL |
|
|
OpenSSL 1.0.1 and higher |
Compatible with TLS 1.1 or higher by default. |
|
OpenSSL 1.0.0 and below |
Not compatible with TLS 1.1 or higher encryption. |
|
Mozilla NSS |
|
|
3.15.1 and higher |
Compatible with TLS 1.1 or higher by default. |
|
3.14 to 3.15 |
Compatible with TLS 1.1, but not with TLS 1.2. |
|
3.13.6 and below |
Not compatible with TLS 1.1 or higher encryption. |