RC4 and TLS 1.0
Message Sent to Merchants and Partners
Data Security Deadlines – retiring RC4 and TLS 1.0
Test your system and contact your software vendor (if any) to prevent disruption in 4th quarter, 2016
We take the security of your information seriously, and we want to let you know about upcoming data encryption changes that may impact you.
In the 4th quarter. 2016, we are ending our support of the RC4 encryption cipher and the TLS 1.0 encryption protocol. We are reminding all clients to make sure their web browsers and payment processing solutions are updated before the 4th quarter.
What is RC4?
An encryption cipher is required for any transaction, whether it’s processed using a terminal, website or an app. RC4 is just one of many encryption ciphers that your point-of-sale solution might be using, and it no longer meets Payment Card Industry security standards. If your solution is using only this one cipher, then your payment processing will be interrupted in the 4th quarter.
What is TLS 1.0?
An encryption protocol is required for any transaction, whether it’s processed using a terminal, website or an app. TLS 1.0 is just one of many encryption protocols that your browser or payment software might be using, and it no longer meets Payment Card Industry security standards. If your solution is using only this one protocol, then your payment processing will be interrupted in the 4th quarter.
Here’s how these changes impact you
- Test your browser
- Test your payment software, if any. Your reseller/vendor/integrator will contact you about what you need to test.
We’re here to help
Click here for
- How to test your browser
- Frequently Asked Questions
- Updates on this topic
If you have questions or concerns,
- Check out the Technical Bulletin on this subject. The answer you need may already be posted and you won’t have to wait for us to reply.
- Reply to this email, or click here to email. Email is a faster way to get a response than calling.
We appreciate your business. Thank you for choosing FrontStream.
- TLS 1.0 now supported on dev.ftipgw.com every weekday, even if it is a holiday, e.g. Labor Day. Prior to this change, TLS 1.0 was only supported on days that FrontStream was open.
- Deadline postponed to 4th quarter, 2016. Some partner systems are needing major work in order to move to TLS 1.2. The exact date will be posted here closer to that time. When working with individual integrators, we use a 4-6 week timeframe (i.e. a target date before 4th quarter) in order to keep the project focused.
- Deadline postponed to late June. We have run into some unexpected hurdles with many of our partner systems with the TLS 1.0 protocols. As such, we will delay our retirement of the TLS 1.0 protocol from May 3rd until late June. As we work through the process of testing with our partners, we will provide additional details on the actual retirement date. We want to provide ample time and support to our partners for this transition.
- Shorter window for browser testing each day. Effective Thursday 4/28/16, the revised hours for testing your browser are: Weekdays: 1:30 PM Pacific through the night to 6:30 AM Pacific the next morning. Weekends and holidays: any time.
Frequently Asked Questions (FAQ)
Q: Where do I look for updates on this project?
A: On this page.
How Do I Test My Browser?
- Pick any time from 1:30 PM Pacific (4:30 PM Eastern) through the night until 6:30 AM Pacific (9:30 AM Eastern) the next day, then do the following steps. Tests run outside this 17-hour window are invalid. Any time is OK for testing except 6:30 AM – 1:30 PM Pacific.
- Start Internet Explorer. Internet Explorer is the only browser officially supported by ArgoFire, but the latest versions of most other browsers also work, most of the time.
- Paste in this address and go to it: https://dev.ftipgw.com/admin/login.aspx
- You should see this page, including the highlighted URL:
- If you get an error instead, upgrade to the latest version of your browser and try again. if you still get an error, you’ll need to work with your own IT/Support people to upgrade/modify your browser to work without RC4 and/or TLS 1.0.
- The final step is to log in with the credentials shown below, Do not use your usual credentials. Username:
- Click Login.
- You should see the result below, including the message in red.
- If you get any other result, you’ll need to work with your own IT/Support people to upgrade/modify your browser to work without RC4 and/or TLS 1.0.
How Do I Test My Device/Software?
Your reseller/vendor/integrator will contact you about whether you need to test, and if so, how to test, but here is the general idea: Pick any time from 1:30 PM Pacific (4:30 PM Eastern) through the night until 6:30 AM Pacific (9:30 AM Eastern) the next day. Tests run outside this 17-hour window are invalid. Any time is OK for testing except 6:30 AM – 1:30 PM Pacific.
From each computer/terminal/device (hereafter “device”) you use for credit cards, run a credit card transaction the same way you would run a normal consumer/customer credit card, but using:
These API Credentials
URL: dev.ftipgw.com (not secure.ftipgw.com)
These Transaction Details
Name on Card: RC4 Test – <something to identify the device you ran from >,
RC4 Test – Cashier 1
Visa Test Card Number:
4055 0167 2787 0315
(If the following applies to you, you’ll understand what it means.) If the software you are testing uses a PNRef as a token for a stored credit card number, and then runs subsequent charges using that token, PNRef 565492 is an Approved transaction against the above Visa/Expiration/Amount, so use 565492 if you need a PNRef for your testing.
Interpreting the result
|On this device, if I see...||It means ...||I should...||FrontStream will...|
|Approved||Good news. It works!||Do nothing.||Do nothing.|
|Time out or error or anything other than Approved||Bad news. This device is not compatible with the change. Processing will be blocked.||(1) Click here to submit a ticket, saying what happened instead of an Approval, attaching a screenshot if possible. CC your IT/programming staff so FrontStream knows who to work with.|
(2) Expect my processing to be blocked during the other time windows above.
|Provide technical details so your staff can resolve the problem.|
Integrators/Partners – Suggested Test Pattern
The cipher/protocol set toggles on the test server at dev.ftipgw.com. For a 6-hour window, TLS 1.0 is enabled. For a 17-hour window, TLS 1.0 is disabled. However, 24 hours a day, RC4 cipher is disabled and TLS 1.2 is enabled.
- During the time window 7:00 AM to 1:00 PM Pacific on any weekday, check that your software is configured to use the dev.ftipgw.com URL and the fpwz6932 username/password above. Run the test transaction above. You should get an Approval. If you don’t get an Approval, click here to contact FrontStream. Getting an Approval indicates that you are correctly configured to reach the test server.
- Wait until 1:30 PM Pacific. By this time TLS 1.0 will be disabled on the test server.
- Run the test transaction again.
- If you get Approval, your software/environment support TLS 1.2 and you are finished.
- If you do not get Approval, you need to modify your software/environment to support TLS 1.2. Reasoning: the only thing that changed between your two tests was the protocol set on the test server. As you work toward supporting TLS 1.2, you can continue to test any time except 10:30 AM to 1:30 PM Pacific, during which time the test server either has TLS 1.0 enabled, or is in transition.
- At any time, you can run this tool to see the TLS settings currently in effect. In the resulting report, under Configuration > Protocols you’ll see TLS 1.0 with either a No or a Yes. No means it is disabled, and that is the state we want to move toward.
PCI council changed the official date to June 2018 from June 2016 but there’s a big security risk and Frontstream will be closing the risk by June 2016 and will be disabling TLS1.0 and only supporting TLS1.2 and above regardless of the council’s plan to extend the window for companies who complained that it would take a lot of time to upgrade their systems and services.
http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls http://blog.pcisecuritystandards.org/impact-new-migration-dates-ssl-early-tls https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf