From 2 May 2018, Payment Card Industry rules will require Worldpay to withdraw some of the encryption methods used to send and receive card details over the internet.
This is to ensure that we process your customers’ card details securely. The encryption methods we’re withdrawing are Secure Sockets Layer (SSL) and Transport Layer Security (TLS) version 1.0.
We recommend passing this message to the technical team who manage your connection to Worldpay, they are best placed to advise you on what you’ll need to do.
Why are we making these changes?
To ensure that our industry uses the highest levels of security, the PCI Security Standards Council has mandated that strong cryptography - Transport Layer Security v1.1 (TLS v1.1) or above, is used wherever payment card information is sent or received.
Transport Layer Security is a secure protocol used to communicate over computer networks. It replaces Secure Sockets Layer (SSL), the most widely-used encryption protocol for twenty years which remains in widespread use today.
Since its development in 1999, TLS v1.0 has been superseded by TLS v1.1 and TLS v1.2.
SSL and TLS v1.0 are no longer regarded as strong cryptography, and can no longer be used to transmit payment information securely to our gateways.
What you need to do
You will need to support TLS v1.1 or above for your payment submissions by 2 May 2018. We strongly recommended TLS v1.2, as not all implementations of TLS v1.1 are considered secure.
Please make a test payment through your payment pages, including your Hosted Call Centre, or Virtual Terminal (Worldaccess).
If you use our High Capacity Gateway, we have created a test environment that only supports TLS 1.1 or higher to let you test the changes. You can either test https://test1.wpstn.com/stlinkssl/stlink.dll?StringIn=version in a browser, or send a test transaction to https://test1.wpstn.com/stlinkssl/stlink.dll, both of which will provide a response.
If you have issues making a test payment, please follow the steps below:
Once you’ve upgraded to support at least TLS v1.1:
The effect on your customers
Following the update, shoppers will also need to support TLS v1.1 or higher to enter secure card details. This means that if shoppers use an older internet browser (Internet Explorer or other browsers on Microsoft Windows XP and Vista) they may not be able to access your payment pages.
You may wish to use a detection script on your website to see what encryption protocol your customers are using.
The following script is an example only, Worldpay cannot take responsibility for the use of content found on third party Web sites outside its control:
As part of the upgrades, you should also make sure you’re using the correct URLs to access our services.
If you use your own software to connect to Worldpay, please ensure you are using the correct URL, if you use a third party supplier such as a shopping cart, please ensure that you are using the latest version of the shopping cart and, where applicable, the latest available vendor plugin.
We’re looking to decommission our legacy URLs: rbsworldpay.com, bibit.com, ims.worldpay.com, and streamline-esolutions.com by 2 May 2018.
For a list of legacy and replacement URLs, please see the following table. Please note that the below table is not an exhaustive list:
|Legacy URL||Correct URL|
Find out more
For more information about these changes:
PCI changes on 2 May 2018