Community Forums 

Main Content

Upgrading of gateway - does this affect us?

    Apr 01 2015 10:21:24


    James Loudon

    Join date : 2008-09-18      Posts : 6

    I have been sent an email from Paypoint/Secpay. I know that all our cart processing is done my Mals but wanted to make sure that this is nothing to worry about.
    The changes we are making on 1 April 2015 are:

    Removal of support for SSL version 3 (SSLv3) from
    Upgrade of our SSL security certificates to include SHA-256

    Why is PayPoint making these changes?

    These changes are to address recent industry-wide concerns over the security of SSL and are not unique to PayPoint:

    On 14 October 2014, SSLv3 was found to be vulnerable to a security exploit known as “POODLE” (CVE-2014-3566). The Payments Card Industry has subsequently confirmed that neither method can be considered as an acceptable means of securing card data. We have previously included messages on our merchant site informing clients of our need to make this change. SSLv3 has already been removed from our metacharge service.
    SHA-1 is a commonly used method of encrypting the security certificates used to verify the identity of a server. SHA-1 has been considered weak for several years and the major web browsers began the process of sun-setting support for certificates using SHA-1 in 2014. The more recent versions of some web browsers now flag websites using SHA-1 as not fully trustworthy, which is likely to lead to consumer concern over using payment pages secured with SHA1 certificates. We are making this change now because we need to renew our certificates as part of our regular maintenance processes.
    PayPoint uses SSLv3 and its successor, TLS, to encrypt data transmissions between our clients’ systems and our own. From 1 April 2015, we will only accept sessions encrypted with TLS 1.0, TLS 1.1 or TLS 1.2. We encourage the use of versions 1.1 or 1.2 as these are more secure than 1.0.