Contents

Withdrawal of support for old SSL / TLS protocols

From 2 May 2018, Payment Card Industry rules will require Worldpay to withdraw some of the encryption methods used to send and receive card details over the internet.

This is to ensure that we process your customers’ card details securely. The encryption methods we’re withdrawing are Secure Sockets Layer (SSL) and Transport Layer Security (TLS) version 1.0.

We recommend passing this message to the technical team who manage your connection to Worldpay, they are best placed to advise you on what you’ll need to do.

Why are we making these changes?

To ensure that our industry uses the highest levels of security, the PCI Security Standards Council has mandated that strong cryptography - Transport Layer Security v1.1 (TLS v1.1) or above, is used wherever payment card information is sent or received.

Transport Layer Security is a secure protocol used to communicate over computer networks. It replaces Secure Sockets Layer (SSL), the most widely-used encryption protocol for twenty years which remains in widespread use today.

Since its development in 1999, TLS v1.0 has been superseded by TLS v1.1 and TLS v1.2.

SSL and TLS v1.0 are no longer regarded as strong cryptography, and can no longer be used to transmit payment information securely to our gateways.

What you need to do

You will need to support TLS v1.1 or above for your payment submissions by 2 May 2018. We strongly recommended TLS v1.2, as not all implementations of TLS v1.1 are considered secure.

Please make a test payment through your payment pages, including your Hosted Call Centre, or Virtual Terminal (Worldaccess).

If you use our High Capacity Gateway, we have created a test environment that only supports TLS 1.1 or higher to let you test the changes. You can either test https://test1.wpstn.com/stlinkssl/stlink.dll?StringIn=version in a browser, or send a test transaction to https://test1.wpstn.com/stlinkssl/stlink.dll, both of which will provide a response.

If you have issues making a test payment, please follow the steps below:

Investigate

  • Speak to your website support team and suppliers (such as your shopping cart provider) to make sure you can support TLS v1.1 or higher.
  • You can also run vulnerability scans which will identify which protocols you are currently supporting.

Act

  • Switch to the latest versions of software that you use in your payment process, and ensure these are configured for TLS 1.1 or higher.
  • If you use our Hosted Call Centre or Worldaccess, please be aware that older versions of Internet Explorer on Microsoft Windows XP and Vista don’t support TLS v1.1 or higher. Other browsers on Microsoft Windows XP and Vista may also experience issues.
  • Configure any existing software to support TLS v1.1, and preferably TLS 1.2. You can find instructions on your suppliers’ websites, or through help forums. The process will be different for each piece of software.

Review

Once you’ve upgraded to support at least TLS v1.1:

  • Test the changes by making another test payment, including through your Hosted Call Centre, or Virtual Terminal (Worldaccess)
  • Perform penetration tests and vulnerability scans to ensure your system is protected
  • Ensure you are up-to-date with the latest version of Transport Layer Security as new versions are released, making use of any automatic update features in your software

The effect on your customers

Following the update, shoppers will also need to support TLS v1.1 or higher to enter secure card details. This means that if shoppers use an older internet browser (Internet Explorer or other browsers on Microsoft Windows XP and Vista) they may not be able to access your payment pages.

You may wish to use a detection script on your website to see what encryption protocol your customers are using.

The following script is an example only, Worldpay cannot take responsibility for the use of content found on third party Web sites outside its control:

<script>
window.parseTLSinfo = function(data) {
var browserLacksSupport = data.tls_version.split(' ')[1] < 1.2;
if (browserLacksSupport) {
alert('Your browser is using an outdated security protocol \'' + data.tls_version + '\'' please update to the latest browser version.);
}
};
</script>
<script src="https://www.howsmyssl.com/a/check?callback=parseTLSinfo"></script>

Using the correct URL to access our services

As part of the upgrades, you should also make sure you’re using the correct URLs to access our services.

If you use your own software to connect to Worldpay, please ensure you are using the correct URL, if you use a third party supplier such as a shopping cart, please ensure that you are using the latest version of the shopping cart and, where applicable, the latest available vendor plugin.

We’re looking to decommission our legacy URLs: rbsworldpay.com, bibit.com, ims.worldpay.com, and streamline-esolutions.com by 2 May 2018.

For a list of legacy and replacement URLs, please see the following table. Please note that the below table is not an exhaustive list:

Legacy URL Correct URL
secure-test.bibit.com secure-test.worldpay.com
secure-test.ims.worldpay.com secure-test.worldpay.com
secure-test.wp3.rbsworldpay.com secure-test.worldpay.com
secure-test.streamline-esolutions.com secure-test.worldpay.com
select-test.wp3.rbsworldpay.com secure-test.worldpay.com
secure.bibit.com secure.worldpay.com
secure.edi.bibit.com secure.worldpay.com
secure.ims.worldpay.com secure.worldpay.com
secure.wp3.rbsworldpay.com secure.worldpay.com
select.wp3.rbsworldpay.com secure.worldpay.com
secure.streamline-esolutions.com secure.worldpay.com
futurepay-test.ims.worldpay.com futurepay-test.worldpay.com
futurepay-test.wp3.rbsworldpay.com futurepay-test.worldpay.com
futurepay.ims.worldpay.com futurepay.worldpay.com
futurepay.wp3.rbsworldpay.com futurepay.worldpay.com
dtd.bibit.com dtd.worldpay.com
dtd.streamline-esolutions.com dtd.worldpay.com
third-party.wp3.rbsworldpay.com third-party.worldpay.com

Find out more

For more information about these changes:

PCI changes on 2 May 2018