TLS Upgrade

What does this mean for customers? 

The Payment Card Industry Security Standards Council (PCI SSC) has issued a mandate that is designed to protect public (i.e internet) communications that carry PCI-sensitive data. 

As a founding member of PCI SSC, Mastercard will comply early with this mandate. 

Between April 30, 2018 and June 28, 2018, we will remove Gateway communication protocols and encryption ciphers: TLS version 1.0 and SSL version 3.

What does this mean?

TLS version 1.0 and SSL version 3 is switched off on all test environments. Test execution will highlight non-compliance where applicable.

Customers connecting to Mastercard Payment Services Gateway using TLS version 1.0 and SSL version 3 will not be able to process transactions based on the following schedule:

Gateway

End date

GateKeeper

April 30, 2018

Mastercard Payment Gateway Services (Target)

May 31, 2018

VPC-M (previously known and MiGs)

May 31, 2018

eCommerce Payment Client (ePC)

June 28, 2018

EuroCommerce

April 30, 2018

DataCash Payment Gateway (DPG)

May 31, 2018

Alternative Payment Gateway (APG)

June 28, 2018

Client Finance

June 28, 2018

Ack Terminal Services (ATS)

June 28, 2018

Electronic Funds Transfer (EFT) Pay

December 31, 2018

TNSPay Retail Gateway (TPRG)

June 28, 2018

VSP

December 31, 2018

TNS Pay Payment Client (TPPC)

June 28, 2018

 

Your business may be affected if you are not ready to adopt the PCI SSC mandate as per the above schedule.

What do you need to do now?

You need to ensure your browsers and integrations use TLS protocol, version 1.1 or higher, as per the above schedule.

Mastercard Payment Gateway Services supports TLS version 1.1 or higher now.  So all Mastercard Payment Gateway Services customers should migrate browsers to TLS version 1.1 or higher as soon as possible, and certainly by the dates outlined above.  

Frequently Asked Questions

What is happening?


PCI Security Standards Council (PSS SSC) has mandated that strong cryptography – Transport Layer Security version 1.2 (TLS v1.2) is used whenever payment card information is sent or received. 

PCI SSC means merchants and their service providers are required to comply with this mandate by June 28, 2018.  If they are to maintain compliance with PCI standards. 

As a founding member of PCI SSC, Mastercard will comply early with this mandate.  Mastercard Payment Gateway Services will remove communication protocols and encryption ciphers TLS v1.0 and Secure Socket Layer (SSL) v3 based on the following phased approach:

Gateway

End date

GateKeeper

April 30, 2018

Mastercard Payment Gateway Services (Target)

May 31, 2018

VPC-M (previously known and MiGs)

May 31, 2018

eCommerce Payment Client (ePC)

June 28, 2018

EuroCommerce

April 30, 2018

DataCash Payment Gateway (DPG)

May 31, 2018

Alternative Payment Gateway (APG)

June 28, 2018

Client Finance

June 28, 2018

Ack Terminal Services (ATS)

June 28, 2018

Electronic Funds Transfer (EFT) Pay

December 31, 2018

TNSPay Retail Gateway (TPRG)

June 28, 2018

VSP

December 31, 2018

TNS Pay Payment Client (TPPC)

June 28, 2018

Why has PCI SSC mandated this change?

To increase card security.  It has been determined that continued use of TLS v1.0 and SSL v3 could result in the loss of confidentiality, integrity or loss of cryptographic key material.  PCI SSC is therefore retiring these formats and mandating more secure cryptographic protocols.  

What does this mean for me?

It means that customers connecting to Mastercard Payment Gateway Services using TLS v1.0 and SSL v3 will not be able to process transactions on the Gateway by the dates listed above. 

If you are a Merchant Service Organization (typically, a white label reseller), must proactively reach out to your merchants to advise them of the PCI SSC mandate.  Please refer to the Technical FAQ for more details.

If you use Payment Client, please refer to the relevant section in the technical FAQ for more details.

What is the risk?

SSL and TLS have widespread use online and many vulnerabilities have been uncovered over the past 20 years. The National Institute of Standards & Technology (NIST) has determined that SSL and early versions of TLS cannot be adequately patched or repaired, therefore requiring retirement.

Use of SSL or TLS 1.0 could result in the loss of confidentiality, integrity, or loss of cryptographic key material.

What do I need to know?

You need to ensure your browsers and integrations use TLS v1.1 or higher as soon as possible.

Mastercard Payment Gateway Services supports TLS v1.1 or higher now.  All Mastercard Payment Gateway Services customers should migrate browsers to TLS v1.1 or higher as soon as possible

What do I do if I have more questions?

If, having read the communication supporting materials, you still have questions, you can:

  • Visit the Technical FAQs section
  • Contact your usual Mastercard representative who will be glad to assist wherever possible. 

Visit PCI SSC’s own sites:

What is SSL/TLS?

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols used to establish a secure communication channel between two systems.  It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems.

What resources are needed to make these changes?

The merchant will require the support of a developer/ web team to investigate their implementation. Steps taken will vary according to the integration implementation applied by the merchant. Common steps that the merchant can undertake include:

  • Review logs of outgoing connections to the payment gateway, e.g. on firewalls / routers to identify the security protocol used
  • Reviewing software used in the payment process and upgrading to the latest versions, this includes any payment client provided by Mastercard Payment Gateway services
  • Ensure protocol settings in browsers are only enabled for TLS 1.1 and/or 1.2
  • Testing the implementation against URLs provided in the Technical FAQ
What are the test URLs merchants should use to check if they are impacted?

DPG Platform:                    

  • To ensure your DPG implementation is no longer utilising TLS v1.0 or SSL v3.0 we strongly advise that you to send test transactions into our test URL https://testserver.datacash.com as this environment only support TLS 1.1 or higher

MiGS and MPGS

An example of a successful test [Linux]:

curl https://tlstest.qa01.gateway.mastercard.com/tlsdetails

<html><head><title>TLS Validation Page</title></head><body>

<b>Your connection to this MasterCard Payment Gateway Services test host has been made with the below details </b><br>

<br>

<b>TLS Protocol:</b> TLSv1.2 <br>

<b>TLS Cipher Negotiated:</b> DHE-RSA-AES256-SHA256 <br>

<br>

<b>User-agent:</b> curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 <br>

</body></html>”

Other Platforms (including UK Retail Gateway)

  • For other platforms please contact your usual Mastercard representative who will be glad to assist wherever possible
How does this impact our payment clients?

eCommerce Payment Client (ePC)

All existing versions of ePC are not compatible with TLS 1.1/1.2. We strongly recommend that merchants using ePC migrate to other integration methods with additional features/ functionalities (e.g. VPC or WSAPI).

For merchants that want to continue using ePC payment client, Mastercard will be releasing an updated version that will no longer support legacy TLS/ SSL. Merchants will likely have minimal testing timelines post release of the new version therefore an extension has been granted until June 28, 2018 to allow time for upgrades to complete.

Merchants should ensure that they are using one of the following supported operating systems if they will rely on the new ePC release:

  • Windows 7
  • Windows 10
  • Windows 2008 R2
  • Windows 2016
  • RHEL 5.5+
  • RHEL 7

Impacted merchants should log on to their respective Merchant Manager Portals for the updated software and installation guides. An additional communication will follow imminently to confirm the ePC 6.0 release date.

How do Merchant Service Organizations (MSO) communicate this to their merchants?

As an MSO, you need to inform all your merchants of the requirement to retire the use of SSLv3 and TLS 1.0 as we will no longer accept transactions after April 30, 2018. 

As an MSO how can I monitor progress in making these changes?

You are required to communicate and monitor progress with all your merchants to cease TLS 1.0 usage, and for them to test if they are impacted against the provided test URL. Mastercard will be looking at further ways to assist our MSOs and merchants in tracking progress in 2018.