As you may know, in order to protect our clients and customers, we maintain a PCI compliance level 1 rating. This ensures that we are maintaining the highest standards of security for all critical data such as payment information. Recently, the PCI Security Standards Council determined that it was necessary to shut off all versions of SSL protocol as well as TLS 1.0. In order to protect our clients and customers, we are required to have shut off TLS 1.0 prior to November 1, 2016. This maintenance has already been performed on multiple Digital River platforms, and we will be doing the same maintenance to the eSellerate platform. Multiple non-DR sites have already shut off SSL and TLS 1.0.
For the majority of our clients, the transition will be seamless, with web store traffic being mainly unaffected as most modern browsers support the use of TLS 1.1 and TLS 1.2 protocols. Any traffic that is generated by the end customer’s computer should continue working without issue as long as the customer has updated browser capabilities.
Some users of our advanced services (examples listed below) may need to ensure that their code and environment supports making calls out to our servers using TLS 1.1 or TLS 1.2. We strongly recommended ensuring that you support TLS 1.2, as TLS 1.1 is required to be shut off by 2018. Any service utilized by our clients that involve calling to an eSellerate endpoint could potentially be affected, dependent upon the client’s solution.
Many clients will be unaffected by this change, as newer framework versions inherently support calls via TLS 1.2, such as .Net version 4.5 and higher. Older code bases and environments may need to be upgraded in order to support the transition to TLS 1.1 or higher. Additional information for your particular solution can be found in various blogs and articles published on the Internet.
Advanced services potentially affected:
- Activation (does not include manual activation)
- EWS purchases (dependent on customer’s browser capabilities)
- Integrated eSellers (further investigation in process)
- Order lookup service
- Subscription service (this is a utility web service. Purchase and renewal of subscriptions will not be affected)
- Cancel subscription service
- Any calls to web services or pages on the esellerate.net or reg.net domains that are performed via code.
For more information, we have located the following articles:
Blog with information on the PCI change - https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
SSL Labs site to test for SSL capabilities - https://www.ssllabs.com/
SSL Labs documentation with information on SSL/TLS best practices and other helpful information - https://www.ssllabs.com/projects/documentation/
PCI security standards documention on migration - https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf