Withdrawal of support for old SSL / TLS protocols

Worldpay is postponing our previously communicated planned date for removing support for SSL and TLS 1.0, and we will now make this change on 21 May 2018. This is to give customers more time to test and deploy these changes.

Payment Card Industry rules will require Worldpay to withdraw support for these legacy encryption methods. These rules affect all Payment Service Providers:

https://www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf

We're making these changes in advance of the PCI DSS deadline of 30 June 2018. We're required to make these changes to ensure that we process your customers'card details securely. The encryption methods we’re withdrawing are Secure Sockets Layer (SSL) and Transport Layer Security (TLS) version 1.0.

We recommend passing this message to the technical team who manage your connection to Worldpay, they are best placed to advise you on what you’ll need to do.

Why are we making these changes?

To ensure that our industry uses the highest levels of security, the PCI Security Standards Council has mandated that strong cryptography - Transport Layer Security v1.1 (TLS v1.1) or above, is used wherever payment card information is sent or received.

Transport Layer Security is a secure protocol used to communicate over computer networks. It replaces Secure Sockets Layer (SSL), the most widely-used encryption protocol for twenty years which remains in widespread use today.

Since its development in 1999, TLS v1.0 has been superseded by TLS v1.1 and TLS v1.2.

SSL and TLS v1.0 are no longer regarded as strong cryptography, and can no longer be used to transmit payment information securely to our gateways.

What you need to do

You will need to support TLS v1.1 or above for your payment submissions by 21 May 2018. We strongly recommended TLS v1.2, as not all implementations of TLS v1.1 are considered secure.

Please make a test payment through your payment pages, including your Hosted Call Centre, or Virtual Terminal (Worldaccess).

If you use our High Capacity Gateway, we have created a test environment that only supports TLS 1.1 or higher to let you test the changes. You can either test https://test1.wpstn.com/stlinkssl/stlink.dll?StringIn=version in a browser, or send a test transaction to https://test1.wpstn.com/stlinkssl/stlink.dll, both of which will provide a response.

If you have issues making a test payment, please follow the steps below:

Investigate

  • Speak to your website support team and suppliers (such as your shopping cart provider) to make sure you can support TLS v1.1 or higher.
  • You can also run vulnerability scans which will identify which protocols you are currently supporting.

Act

  • Switch to the latest versions of software that you use in your payment process, and ensure these are configured for TLS 1.1 or higher.
  • If you use our Hosted Call Centre or Worldaccess, please be aware that older versions of Internet Explorer on Microsoft Windows XP and Vista don’t support TLS v1.1 or higher. Other browsers on Microsoft Windows XP and Vista may also experience issues.
  • Configure any existing software to support TLS v1.1, and preferably TLS 1.2. You can find instructions on your suppliers'websites, or through help forums. The process will be different for each piece of software.

Review

Once you’ve upgraded to support at least TLS v1.1:

  • Test the changes by making another test payment, including through your Hosted Call Centre, or Virtual Terminal (Worldaccess)
  • Perform penetration tests and vulnerability scans to ensure your system is protected
  • Ensure you are up-to-date with the latest version of Transport Layer Security as new versions are released, making use of any automatic update features in your software

The effect on your customers

Following the update, shoppers will also need to support TLS v1.1 or higher to enter secure card details. This means that if shoppers use an older internet browser (Internet Explorer or other browsers on Microsoft Windows XP and Vista) they may not be able to access your payment pages.

You may wish to use a detection script on your website to see what encryption protocol your customers are using.

The following script is an example only, Worldpay cannot take responsibility for the use of content found on third party Web sites outside its control:

<script>
window.parseTLSinfo = function(data) {
var browserLacksSupport = data.tls_version.split(' ')[1] < 1.2;
if (browserLacksSupport) {
alert('Your browser is using an outdated security protocol \'' + data.tls_version + '\'' please update to the latest browser version.);
}
};
</script>
<script src="https://www.howsmyssl.com/a/check?callback=parseTLSinfo"></script>

Find out more

Please speak to your Worldpay support team for more information about these changes.

PCI changes on 21 May 2018