Anyone who uses our APIs, Custom Checkout, and/or Response Notification.
Any transactions using TLS 1.0 and TLS 1.1 after April 30, 2018 will fail.
What is TLS?
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any messages. TLS is the successor to the Secure Sockets Layer (SSL). Secure HTTP, or HTTPS, is a familiar application of SSL/TLS in e-commerce or password transactions.
Why the update?
PCI Data Security Standard (PCI DSS) mandated that TLS 1.0 cannot be used after June 30, 2018 for safeguarding payment data. Bambora North America is committed to being fully compliant and adhering to the highest standards before the cutoff date and will no longer accept transactions using TLS 1.0 and TLS 1.1 after April 30, 2018.
Steps to take?
We are working to create a separate endpoint for you to confirm your transactions are being processed. It may require additional development work for your integration to become compliant. We are expecting to have the separate endpoint ready by January 30, 2018
You can test your integration after January 30, 2018. We will update this section with steps to take to confirm your integration in mid-January.
Are my customers impacted by this change?
Possibly. If the cardholder uses a deprecated browser (older than 2013) or an old device that does not support the TLS 1.2 security protocol, the payment page will not be displayed. There will be no specific warning on the issue. The cardholder will have to upgrade to a newer web browser. Click here for more information about web browser TLS compatibility.
Why is Bambora disabling both TLS 1.0 and TLS 1.1?
PCI Data Security Standard (PCI DSS) mandated that TLS 1.0 cannot be used after June 30, 2018 for safeguarding payment data. Bambora North America will disable TLS 1.1 at the same time to ensure we maintain the highest security standards.
Are there external resources available to assess my current implementation of TLS?
To test your implementation, you are welcome use external tools offered by sites such as https://www.ssllabs.com and https://www.howsmyssl.com. We are working on a guide that will walk you through the steps of using these tools and will share it with you come January.
What are the consequences of not being up to date with security protocols?
The PCI council requires Payment Service Providers like Bambora to depreciate older protocols that are no longer considered secure. This means that connections using TLS 1.0 and TLS 1.1 will be considered as not secure by our system and will fail.
I know my integration is up to date.
Perfect, then you don’t have to worry. We still do recommend that you process a transaction at the new endpoint to really confirm.
What happens if I don’t update my integration?
If your integration is using TLS 1.0 and TLS 1.1 after April 30, 2018 all your transactions will fail.
I use Checkout, Virtual Terminal, and/or the Hosted Payment Form. Am I impacted?
No. Those that use Checkout, Virtual Terminal, or the Hosted Payment Form are not impacted as the transaction are initiated from our system (you aren’t sending information to our server).
However, if you are using Response Notification, you should confirm that your system can handle TLS 1.2 through the steps outlined above.
I use Sage 50. Am I impacted?
You have to update to version 2018.1 of Sage 50 before April 30th 2018.