Anyone who uses our APIs, Custom Checkout, and/or Response Notification.
Any transactions using TLS 1.0 and TLS 1.1 after April 30, 2018 will fail.
What is TLS?
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any messages. TLS is the successor to the Secure Sockets Layer (SSL). Secure HTTP, or HTTPS, is a familiar application of SSL/TLS in e-commerce or password transactions.
Why the update?
PCI Data Security Standard (PCI DSS) mandated that TLS 1.0 cannot be used after June 30, 2018 for safeguarding payment data. Bambora North America is committed to being fully compliant and adhering to the highest standards before the cutoff date and will no longer accept transactions using TLS 1.0 and TLS 1.1 after April 30, 2018.
We already support incoming TLS 1.2 connections so you should go ahead and update your own integration to support TLS 1.2 if you haven't done this yet.
Verify your payment API connection
In order to verify that you've fully deprecated TLS 1.0 and 1.1 we have created a separate TLS 1.2 only endpoint for you to use for confirmation.
This is a production endpoint so we advise you test your integration in the following way:
- Point your staging environment towards the following domain: https://tls12-api.na.bambora.com (as opposed to ‘https://api.na.bambora.com’)
- Process at least one attempt of all requests to each different endpoint (Payments, Profiles, Reporting etc) that your integration to Bambora includes.
- If the requests are successful use your normal Bambora credentials and log in to the TLS 1.2 only backoffice at: https://tls12-web.na.bambora.com/admin/sDefault.asp and confirm that the transactions shows up as expected.
Note: Any transactions that you process in this manner, especially if using real Credit Card information, are actual transactions. You may wish to void/return them through the back office immediately after processing.
Note 2: Even if you get a 'transaction declined' reply it is still a positive sign as it means your system was able to make a successful connection to our system.
Once all 3 steps above are completed you have verified that you've successfully deprecated TLS 1.0 and 1.1.
Full documentation of our APIs can be found here: https://dev.na.bambora.com/docs/references/payment_APIs/v1-0-4/
Verify your onboarding API connection
If you already have an existing test integration with the Sandbox or UAT server, the existing API keys for the Sandbox/UAT server will also work on the new TLS 1.2 only server.
This guide can be used to help build your integration: https://dev.na.bambora.com/docs/guides/onboarding/
The guide can be followed exactly, however calls should be made to
https://tls12-onboardingapi.na.bambora.com/v1/boarding/(instead of https://sandbox-api.na.bambora.com/v1/boarding/)
Are my customers impacted by this change?
Possibly. If the cardholder uses a deprecated browser (older than 2013) or an old device that does not support the TLS 1.2 security protocol, the payment page will not be displayed. There will be no specific warning on the issue. The cardholder will have to upgrade to a newer web browser. Click here for more information about web browser TLS compatibility.
Why is Bambora disabling both TLS 1.0 and TLS 1.1?
PCI Data Security Standard (PCI DSS) mandated that TLS 1.0 cannot be used after June 30, 2018 for safeguarding payment data. Bambora North America will disable TLS 1.1 at the same time to ensure we maintain the highest security standards.
Are there external resources available to assess my current implementation of TLS?
What are the consequences of not being up to date with security protocols?
The PCI council requires Payment Service Providers like Bambora to depreciate older protocols that are no longer considered secure. This means that connections using TLS 1.0 and TLS 1.1 will be considered as not secure by our system and will fail.
I know my integration is up to date.
Perfect, then you don’t have to worry. We still do recommend that you process a transaction at the new TLS 1.2 only endpoint to really confirm.
What happens if I don’t update my integration?
If your integration is using TLS 1.0 and TLS 1.1 after April 30, 2018 all your transactions will fail.
I use Checkout, Virtual Terminal, and/or the Hosted Payment Form. Am I impacted?
No. Those that use Checkout, Virtual Terminal, or the Hosted Payment Form are not impacted as the transaction are initiated from our system (you aren’t sending information to our server).
However, if you are using Response Notification, you should confirm that your system can handle TLS 1.2 through the steps outlined above.
I use Sage 50. Am I impacted?
You have to update to version 2018.1 of Sage 50 before April 30th 2018.