UPDATE - April 5, 2016
Please note that our previously published production date of April 7 in which minor adjustments to our applications' TLS configurations, including refreshing the specific ciphers we support, is now May 5 instead.
- We are delaying the retirement of TLSv1.0 on existing applications until 2018.
- However, we are still making minor adjustments to our TLS configuration as originally scheduled.
In April 2015, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.1 of the PCI Data Security Standard, which disallows the continued use of the TLSv1.0 protocol. The original retirement deadline was June 30, 2016, but in mid-December 2015 the Council delayed the deadline by two years to June 30, 2018. This decision was a direct result of feedback provided to the Council from merchants, technology organizations, and payment processors, including Vantiv. We thank you for your feedback, as it was instrumental in developing ours.
As a result of the Council's announcement, we have decided to delay disabling TLSv1.0 on our existing applications until early 2018. In accordance with PCI DSS v3.1, any new applications we release will only support TLSv1.1 and higher.
Despite this extension, we still strongly recommend that you use TLSv1.2 to encrypt your communications with us, as it is the most secure version of TLS. While earlier versions of TLS are not cryptographically "broken,” they do have some structural weaknesses and they do not take advantage of the latest developments in cryptography.
We also want to caution that the security threat landscape is continuously evolving. Regulatory requirements are subject to change, and new exploits continue to appear. While we try to adhere to published schedules as much as possible, we reserve the right to make changes on shorter notice if any threat warrants it.
Finally, please remember that you and Vantiv have a shared security responsibility. It is our responsibility to provide a secure service using industry standards and best practices, and it is your responsibility to ensure that your systems are compatible with those standards. We believe the trend of exploits in cryptographic protocols like TLS is going to continue. Therefore, if you do not have in-house resources to adapt to these changes, we recommend you retain an appropriate technology partner to assist you when necessary.
What is Still Changing
We will still be making minor adjustments to our applications' TLS configurations, including refreshing the specific ciphers we support, according to the following schedule:
- Pre-Live & Post-Live – Jan. 14, 2016
- Production – April 7, 2016 Now May 5, 2016
PLEASE NOTE: We do not anticipate any customer impact as a result of these changes, and there is no specific action you need to take.
The new list of supported ciphers will be (in order of preference):
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
- TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
- TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
- TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
- TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
- TLS_RSA_WITH_RC4_128_SHA (0x5) *see below
Notably, we are dropping support for the RC4 cipher, which is no longer considered secure. This change will occur in two phases. First, we will demote RC4 to the least-preferred cipher for our applications. Then, after 30 days, we will disable RC4 completely. While we do not anticipate any impact from this change, out of an abundance of caution, we will monitor our systems for use of RC4 during the grace period, and will proactively reach out to customers who may be affected by this change.
We will also be disabling client-initiated session renegotiation across our applications. This TLS protocol feature is not required for any of our services.
Vantiv eCommerce is committed to maintaining a high level of security for our customers, and aligning with industry standards and best practices for information security. If you have any further questions, please contact your Customer Experience Manager or Customer Service (eCommerce Customer Care; 1-800-548-5326, Option 3).