PayPal TLS 1.2 Upgrade

Hi guys,

Just wondering if you are aware of the TLS upgrade from PayPal that is coming into effect in June 2017?

devblog.paypal.com/upcoming-security-changes-notice/

As PayPal is pretty important to us, we definitely do not need any disruption in the service provided.

If you already knew about this then I guess you can ignore this!

Hello Mark

You can ignore this. Membership Pro (or any of our extensions) are not affected by this update

Regards,

Tuan

I take it that the same applies to the Authorize.net TLS upgrade that comes a short time later?

Hello Eric

Could you please send me the link to the page on Authorize.net website which mentions about this change so that I can take a look and make sure necessary change is implemented to the plugin if needed?

Tuan

It was actually an email that I received. I've copied the email here:
Important TLS Disablement Notice

Your Payment Gateway ID: XXXXXX
Dear Authorize.Net Merchant:

As you may be aware, new PCI DSS requirements state that all payment systems must disable early TLS by 2018. Transport Layer Security (TLS), is a technology used to encrypt sensitive information sent via the Internet. TLS is the replacement for Secure Sockets Layer (SSL).

In preparation for this requirement, Authorize.Net plans to disable TLS 1.0 and TLS 1.1 on the following dates:

Sandbox: COMPLETE
Production: September 18, 2017

We have disabled the sandbox in advance of production to allow you and your developer time to test your website or payment solution and ensure you are no longer using TLS 1.0 or 1.1 prior to September 18th.

Please contact your web developer or payment solution provider, as well as your web hosting company, to confirm that they can support TLS 1.2 for your API connections.

In addition, we plan to retire the 3DES cipher (a data encryption standard) in production soon. However, the date has not yet been finalized. We will notify you once it has.

Please refer your developer or solution provider to our API Best Practices for cipher recommendations, details about TLS 1.2 platform support, and other integration suggestions.

Note: If you are not using the current version of your web browser, please take a few moments to upgrade it now. Browsers released prior to 2014 may not support TLS 1.2. You can check your browser's TLS support by visiting www.howsmyssl.com/ .

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net

We use the Authorize.net plug-in as well. Please let me know if an update is needed.

Hi all

We will check the details changes from Authorize.net. If the changes is needed, we are going to update the package to have it compatible with the requirement. Thanks for informing us about this change

Regards,

Tuan

Were any updates required on the Authorize.net plug-ins throughout your products per the email below?

---

As you may be aware, new PCI DSS requirements state that all payment systems must disable earlier versions of TLS protocols. These older protocols, TLS 1.0 and TLS 1.1, are highly vulnerable to security breaches and will be disabled by Authorize.Net on February 28, 2018.

To help you identify if you’re using one of the older TLS protocols, Authorize.Net will temporarily disable those connections for a few hours on January 30, 2018 and then again on February 8, 2018.

Please refer to our TLS FAQs for important details.

Based on the API connection you are using, on either one of these two days you will not be able to process transactions for a short period of time. If you don’t know which API you’re using, your solution provider or development partner might be a good resource to help identify it. This disablement will occur on one of the following dates and time:

· Akamai-enabled API connections will occur on January 30, 2018 between 9:00 AM and 1:00 PM Pacific time.
· All other API connections will occur on February 8, 2018 between 11:00 AM and 1:00 PM Pacific time.
Merchants using TLS 1.2 by these dates will not be affected by the temporary disablement. We strongly recommend that connections still using TLS 1.0 or TLS 1.1 be updated as soon as possible to the stronger TLS 1.2 protocol. If your current Virtual Point of Sale (VPOS) is an Authorize.Net product, please call Authorize.Net Customer Support at 1.877.447.3938 for assistance in updating to TLS 1.2.

Note: If you are not using a current version of a web browser, please take a few moments to upgrade it now. Browsers released prior to 2014 may not support TLS 1.2. You can check your browser's TLS support by visiting www.howsmyssl.com/ .

If you have any questions about this email or the upcoming TLS disablement, please refer to our TLS FAQs. Thank you for your attention to this matter and for being an Authorize.Net merchant.

Hi Barry

Yes. You need to update to latest version 2.12.0 of Membership Pro. From that version, we force to use TLS 1.2 for Authorize.net payment plugin for processing payment

Regards,

Tuan