First Data and the payments industry have determined the next generation of security, requiring replacement of existing SHA-1 certificates. First Data will update to the latest SSL version SHA-256. Trusted certificate providers will no longer support SHA-1 for digital certificates. The Payeezy Gateway will comply with the latest standards for creating secure sessions eCommerce transactions.
All certificates used for First Data’s Payeezy Gateway that provide certificate-based services must transition to a SHA-256 certificate by Thursday, June 11th, 2015. To minimize service disruption, please make the necessary changes recommended below.
Prior to updating this certificate, we would like to give merchants the opportunity to test the changes. The following test URLs have been created with a new production SSL certificate generated using SHA-256. We ask that merchants connect and continue testing the URLs below prior to the scheduled update on Thursday, June 11th, 2015
- Realtime Payment Manager (RPM) - users must update their intermediate and root CA within their browser or install a newer version. Chrome users may also see a change in the SSL lock icon shown below in the address bar when connected to a site using HTTPS. This icon change only notes that the site SSL certificate is using SHA-1 (current version); it is not indicating that the Gateway website is unsecure. RPM - https://har-rpm.globalgatewaye4.firstdata.com
- Merchants using RPM who have upgraded their browsers in anticipation of the upgrade should continue accessing the Payeezy Gateway normally now and after the change on June 11th.
- Hosted Payment Page (HCO) - users must update their intermediate and root CA within their browser or install a newer version. The same applies to Chrome users outlined above. HCO - https://har-rpm.globalgatewaye4.firstdata.com
- Merchants using HCO who have upgraded their browsers in anticipation of the upgrade should continue accessing the Payeezy Gateway normally now and after the change on June 11th.
- Web Service API (API) - users must review how the SSL handshake is performed and determine if a certificate store is maintained. A certificate store, if maintained, may need to update the Intermediate and Root CAs to ensure a successful SSL handshake. API - https://har-api.globalgatewaye4.firstdata.com
- Merchants using the API who have a certificate store where both the old SHA-1 and new SHA-2 SSL certificates reside together should continue processing normally now and after the change on June 11th.
- Merchants using the Payeezy Gateway API who use Basic SSL authentication without a certificate store to access the Gateway are not required to make changes but are encouraged to continue testing.
- Payeezy API merchants will need to consult with their internal development and server/operations teams to accomplish testing and any changes.
First Data suggests reviewing the additional information provided. Use reference instructions with the applicable browser (i.e. Chrome, Firefox, etc).
- Compatibility chart for the popular OS, browser and email clients: https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility
- Timeline of the SHA-256 rollout for the popular browsers: https://support.globalsign.com/customer/portal/articles/1447169
- Information on migration from SHA-1 to SHA-256: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
- Transition plan: http://www.symantec.com/page.jsp?id=sha2-transition
Please ensure this information reaches the appropriate IT contacts in your organization. Should you have questions, please direct questions to your Relationship Manager, Support Team or call 855-448-3493.