Providing efficient and secure methods of processing payment transactions to our clients is a top priority for Worldpay. As part of these efforts, Worldpay will discontinue support of legacy encryption methods, such as Secure Socket Layer version 3 (SSLv3) and early versions of Transport Layer Security (TLS 1.0).
SSLv3 and early versions of TLS are network protocols that are used to encrypt and protect Internet communications. The PCI Security Standards Council has declared that SSLv3 and early versions of TLS no longer meet minimum security standards due to security vulnerabilities for which there are no fixes. SSLv3 has been widely used for more than 20 years; however, more than 10 years ago it was superseded by TLSv1, which has since been superseded by TLSv1.2.
Worldpay will end its support of SSLv3 and early TLS by June 30, 2018.
Customers who continue to use these protocols will no longer be able to connect to Worldpay using Internet-based services or eCommerce-type applications. In addition, Worldpay will stop supporting weak encryption cipher suites, such as Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES, or TDEA).
Merchants and Partners should be in the process of disabling legacy protocols and enabling support of TLSv1.2 for communication with Worldpay platforms prior to the June 2018 date.
For encryption, Worldpay will only support cipher suites based on Elliptic Curve Diffie-Hellman (ECDHE) and RSA key exchange, Advanced Encryption Standard (AES), and Secure Hash Algorithms (SHA).
What is Changing?
We will be discontinuing SSLv3, TLS 1.0, and weak ciphers according to the following schedule on the following environments:
- Pre-Live and Post-Live – Jan 15, 2018
- Production – April 30, 2018
To minimize any disruption to processing, Worldpay recommends that our partners and merchants test their TLS-only connectivity as soon as feasible.
The new list of supported protocols (in order of preference):
- TLS 1.2
- TLS 1.1 (not recommended)
The new list of supported ciphers (in order of preference):
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
- TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
- TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
- TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
- TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Worldpay eCommerce is committed to maintaining a high level of security for our customers, and aligning with industry standards and best practices for information security.
If you have any questions, please contact your eCommerce relationship or partner manager.