PCI DSS 3.1: early TLS’s days are numbered
Security is at the heart of what we do here at judo, and to ensure that our platform and services are adhering to the latest security standards laid out by the PCI council (PCI DSS 3.1), we have made some updates to our API and SDKs.
These updates mean that we will be ending support for TLS 1.0 and below on 20th October 2016. After that date, any API requests or dashboard sessions will need to use either TLS 1.1 or TLS 1.2. (However, while not being immediately phased out, TLS 1.1’s days are numbered as well, so we would highly recommend an upgrade to TLS 1.2.)
What is happening?
PCI DSS version 3.1
The latest version of PCI Data Security Standard (DSS) affects all organisations that transmit or process card data. PCI DSS no longer consider SSL and early TLS to be meeting the security needs of organisations implementing strong cryptography to protect payment data over public or untrusted communications channels. A migration to TLS 1.2 is urged.
Therefore, all judo customers will have to verify that their environment supports TLS 1.2 and if necessary, make appropriate updates.
Sunsetting SHA-1 certificates
Introduced 10 years ago, the SHA-1 cryptographic algorithm is now considerably weaker than first designed to be. The industry’s security best practice, driven by web browsers, now urges all organisations to use more complex algorithms for HTTPS certificates. For example, websites and services using SHA-1 certificates and are valid past January 1, 2017 will no longer appear to be fully trusted in Chrome.
Hence, judo has shifted its HTTPS certificates with new certificates signed with the more secure SHA-256 hash algorithm.
What do I need to do?
TLS 1.2 Upgrade
Judo already supports TLS 1.2 for all secure connections and in February 2016 will begin disabling TLS 1.0 using a phased approach. Customers will need to verify that any connection from your implementation supports TLS 1.2 and if necessary, make appropriate updates. After 20th of October, all TLS 1.0 API connections will be refused.
SSL/TLS Certificate Upgrade
Judo has upgraded the SSL certificates used to secure our websites and API endpoints. These new certificates are signed using the SHA-256 algorithm. This is an industry-wide change, and is driven by web browsers and as explained above, and will soon be mandatory. Customers need to ensure that their environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that relies on SHA-1 signing algorithm before 20th October 2016 to ensure minimal disruption.
For implementations using one of judo’s SDK libraries, depending on the runtime environment and version your application uses, a code change or SDK update may be required in order to enable TLS 1.2. The best practice is to stay up to date with the latest SDKs and code library versions required. Besides, by upgrading to the new SDKs, you will also benefit from:
- Latest mobile fraud prevention feature, DeviceDNA, included in-built
- Better protection from fraud by auto-detection of rooted/jailbroken devices and having the ability to block payments from these devices
- Taking our award-winning UI to the next level: even more ways to match the payment screens to the rest of your app, and a new UI that is even more intuitive to use
- Lighter size SDKs means a lighter app for you and your users
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>yourdomain.com</key> <dict> <!--Include to allow subdomains--> <key>NSIncludesSubdomains</key> <true/> <!--Include to allow HTTP requests→ <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> <true/> <!--Include to specify minimum TLS version→ <key>NSTemporaryExceptionMinimumTLSVersion</key> <string>TLSv1.1</string> </dict> </dict> </dict>
<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key><true/> </dict>
For Android applications: After the upgrade deadline, support for user devices older than API 16 (Android 4.1 “Jelly Bean”) will not be available. Our latest Android SDK already supports TLS 1.2 and is ready for this security update, all you need to do is upgrading to this new version of the SDK.
For Xamarin applications: Simply upgrade to the latest version of our Xamarin SDK, you can find the documentations here.
For .Net implementations: The latest version of the our .Net SDK can be found here, or downloaded through your nuget package manager within your IDE.
Your Account Manager will be in touch throughout the year in a phased approach to help you migrate your implementation to the latest API and SDKs. At the meantime, please do get in touch with us if you have any question regarding this change, you can do so by emailing email@example.com or by giving us a call at 0203 503 0600.
About Judopay · Judopay simplifies in-app payments, enable frictionless checkouts and intelligently prevents fraud for leading companies globally. Our payments and mobile experts help guide businesses and their development partners to create best in class apps to make paying faster, easier and more secure. Founded by serial financial technology entrepreneurs in 2012, Judopay is backed by leading venture investors and supported by banking and card scheme partners to offer in-app payments that are simple, frictionless and protected.