Secure Electronic Payments API
Technical Bulletins
From time to time, technical improvements to the FrontStream Payment Gateway will require a more in-depth discussion. The pages below provide best practices, FAQ, and up-to-the-minute information related to each improvement.
RC4 and TLS 1.0
How to Test Your Software for TLS 1.0 Issues
If you don’t understand a term in this section, it means the testing doesn’t apply to you. For example, if you don’t know if you have an API, ignore that section. People who do have an API know it.
Testing Your Browser (e.g. Chrome, Safari, Firefox, Internet Explorer, Edge, etc.)
To test your browser, just open your browser and go to this site: https://www.howsmyssl.com/
If you do see “Probably Okay”, that’s the highest grade and means you’re using TLS 1.2, so your browser does not have a TLS 1.0 issue.
If you don’t see “Probably Okay”, just upgrade your browser to the highest version available and test again. In the rare cases where you still don’t get “Probably Okay”, talk to your computer support people. You might need a newer computer.
Testing Your Website
To test the protocols supported on a website, run this link configured for whatever site you want to test:
https://www.ssllabs.com/ssltest/analyze.html?d=mywebsite.com
e.g.
https://www.ssllabs.com/ssltest/analyze.html?d=test.ftipgw.com
Testing Your Own API
If you have your own API that others call, you can test the API using SoapUI (a professional testing tool requiring some developer skills).
Testing an External API
If your code calls someone else’s API, your best bet is to work with the API vendor.
Message Sent to Merchants and Partners
Data Security Deadlines – retiring RC4 and TLS 1.0
Test your system and contact your software vendor (if any) to prevent disruption in 2nd quarter, 2018
Dear Client:
We take the security of your information seriously, and we want to let you know about upcoming data encryption changes that may impact you.
In the 2nd quarter 2018, we are ending our support of the RC4 encryption cipher and the TLS 1.0 encryption protocol. We are reminding all clients to make sure their web browsers and payment processing solutions are updated before the 2nd quarter.
What is RC4?
An encryption cipher is required for any transaction, whether it’s processed using a terminal, website or an app. RC4 is just one of many encryption ciphers that your point-of-sale solution might be using, and it no longer meets Payment Card Industry security standards. If your solution is using only this one cipher, then your payment processing will be interrupted in the 2nd quarter.
What is TLS 1.0?
An encryption protocol is required for any transaction, whether it’s processed using a terminal, website or an app. TLS 1.0 is just one of many encryption protocols that your browser or payment software might be using, and it no longer meets Payment Card Industry security standards. If your solution is using only this one protocol, then your payment processing will be interrupted in the 2nd quarter.
Here’s how these changes impact you
- Test your browser
- Test your payment software, if any. Your reseller/vendor/integrator will contact you about what you need to test.
We’re here to help
- How to test your browser
- Frequently Asked Questions
- Updates on this topic
If you have questions or concerns,
- Check out the Technical Bulletin on this subject. The answer you need may already be posted and you won’t have to wait for us to reply.
- Reply to this email, or click here to email. Email is a faster way to get a response than calling.
We appreciate your business. Thank you for choosing FrontStream.
Updates
- Deadline postponed to 2nd quarter, 2018. This is the final postponement because PCI-mandated deadline is June 2018.
- Deadline postponed to 4th quarter, 2017.
- Deadline postponed to 3rd quarter, 2017.
- Deadline postponed to 1st quarter, 2017.
- TLS 1.0 now supported on dev.ftipgw.com every weekday, even if it is a holiday, e.g. Labor Day. Prior to this change, TLS 1.0 was only supported on days that FrontStream was open.
- Deadline postponed to 4th quarter, 2016. Some partner systems are needing major work in order to move to TLS 1.2. The exact date will be posted here closer to that time. When working with individual integrators, we use a 4-6 week timeframe (i.e. a target date before 4th quarter) in order to keep the project focused.
- Deadline postponed to late June. We have run into some unexpected hurdles with many of our partner systems with the TLS 1.0 protocols. As such, we will delay our retirement of the TLS 1.0 protocol from May 3rd until late June. As we work through the process of testing with our partners, we will provide additional details on the actual retirement date. We want to provide ample time and support to our partners for this transition.
- Shorter window for browser testing each day. Effective Thursday 4/28/16, the revised hours for testing your browser are: Weekdays: 1:30 PM Pacific through the night to 6:30 AM Pacific the next morning. Weekends and holidays: any time.
Frequently Asked Questions (FAQ)
Q: Where do I look for updates on this project?
A: On this page.
How Do I Test My Browser?
- Pick any time from 1:30 PM Pacific (4:30 PM Eastern) through the night until 6:30 AM Pacific (9:30 AM Eastern) the next day, then do the following steps. Tests run outside this 17-hour window are invalid. Any time is OK for testing except 6:30 AM – 1:30 PM Pacific.
- Start Internet Explorer. Internet Explorer is the only browser officially supported by ArgoFire, but the latest versions of most other browsers also work, most of the time.
- Paste in this address and go to it: https://dev.ftipgw.com/admin/login.aspx
- You should see this page, including the highlighted URL:
- If you get an error instead, upgrade to the latest version of your browser and try again. if you still get an error, you’ll need to work with your own IT/Support people to upgrade/modify your browser to work without RC4 and/or TLS 1.0.
- The final step is to log in with the credentials shown below, Do not use your usual credentials. Username:
BrowserTest
Password:BrowserTest9 - Click Login.
- You should see the result below, including the message in red.
- If you get any other result, you’ll need to work with your own IT/Support people to upgrade/modify your browser to work without RC4 and/or TLS 1.0.
How Do I Test My Device/Software?
Your reseller/vendor/integrator will contact you about whether you need to test, and if so, how to test, but here is the general idea: Pick any time from 1:30 PM Pacific (4:30 PM Eastern) through the night until 6:30 AM Pacific (9:30 AM Eastern) the next day. Tests run outside this 17-hour window are invalid. Any time is OK for testing except 6:30 AM – 1:30 PM Pacific.
From each computer/terminal/device (hereafter “device”) you use for credit cards, run a credit card transaction the same way you would run a normal consumer/customer credit card, but using:
These API Credentials
PartnerID/Reseller: 100
Vendor/Merchant/RPNum/MerchantKey: 715
Username: fpwz6932
Password: QNn9Yrjt
URL: dev.ftipgw.com (not secure.ftipgw.com)
These Transaction Details
Name on Card: RC4 Test – <something to identify the device you ran from >,
e.g. RC4 Test – Cashier 1
Visa Test Card Number: 4055 0167 2787 0315
CVV: 123
Expiration: 12/19
Amount: $5.00
(If the following applies to you, you’ll understand what it means.) If the software you are testing uses a PNRef as a token for a stored credit card number, and then runs subsequent charges using that token, PNRef 565492 is an Approved transaction against the above Visa/Expiration/Amount, so use 565492 if you need a PNRef for your testing.
Interpreting the result
[table “21” not found /]Integrators/Partners – Suggested Test Pattern
The cipher/protocol set toggles on the test server at dev.ftipgw.com. For a 6-hour window, TLS 1.0 is enabled. For a 17-hour window, TLS 1.0 is disabled. However, 24 hours a day, RC4 cipher is disabled and TLS 1.2 is enabled.
- During the time window 7:00 AM to 1:00 PM Pacific on any weekday, check that your software is configured to use the dev.ftipgw.com URL and the fpwz6932 username/password above. Run the test transaction above. You should get an Approval. If you don’t get an Approval, click here to contact FrontStream. Getting an Approval indicates that you are correctly configured to reach the test server.
- Wait until 1:30 PM Pacific. By this time TLS 1.0 will be disabled on the test server.
- Run the test transaction again.
- If you get Approval, your software/environment support TLS 1.2 and you are finished.
- If you do not get Approval, you need to modify your software/environment to support TLS 1.2. Reasoning: the only thing that changed between your two tests was the protocol set on the test server. As you work toward supporting TLS 1.2, you can continue to test any time except 10:30 AM to 1:30 PM Pacific, during which time the test server either has TLS 1.0 enabled, or is in transition.
- At any time, you can run this tool to see the TLS settings currently in effect. In the resulting report, under Configuration > Protocols you’ll see TLS 1.0 with either a No or a Yes. No means it is disabled, and that is the state we want to move toward.
Technical Articles
RC4 Cipher
InformationWeek
How the RC4 cipher is vulnerable
PCI
PCI council changed the official date to June 2018 from June 2016 but there’s a big security risk and Frontstream will be closing the risk by 1st Quarter 2016 and will be disabling TLS1.0 and only supporting TLS1.2 and above regardless of the council’s plan to extend the window for companies who complained that it would take a lot of time to upgrade their systems and services.
http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls http://blog.pcisecuritystandards.org/impact-new-migration-dates-ssl-early-tls https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf
