Cipher update

Cipher update

Payeezy Gateway will update cipher support for TLS 1.2 connections to all subdomains of PROD and TEST domains to improve connection security for all clients. This is a corporate-wide, global change for any clients leveraging Payeezy Gateway Web-service API services.

These changes will only impact the Client/Server Hello/Handshake phase of SSL. 

A Payeezy Gateway merchant can test TLS1.2 cipher connectivity using the Payeezy Gateway certification environment.

• No Payeezy Gateway certification environment account is required.
• Merchant can simply point their integration at the URL noted below. From there submitting a standard payload is all that is required.

https://api-crt.gateway.payeezytest.com/transaction/v#

1. Payeezy Gateway API version number currently being called.
2. If the merchant gets a ‘bad credentials’ response, that means success. Getting that message means that the TLS1.2 cipher negotiation was successful and that the merchant environment holds the proper ciphers. Response message: “Unauthorized request. Bad or missing credentials”.
3. If the merchant gets a SSL/TLS handshake failure, that means the merchant API integration is using deprecated ciphers and would require an update to prevent a future production impact.

Here is the schedule for the environments:

Environments              Link to the environment                             Deployment Date

• Production           https://globalgatewaye4.firstdata.com                      TBA
• CERT                    https://admin-crt.gateway.payeezytest.com/            May 17, 2023
• Demo                    https://demo.globalgatewaye4.firstdata.com          TBA

New Production and Demo dates will be published soon. 

Connectivity validations are required by all Merchants. No action taken by merchants could impact Merchants’ processing.

The weak ciphers to be scheduled for removal according to the Fiserv Web Application Security:

• AES128-SHA
• AES128-SHA256
• AES256-SHA
• AES256-SHA256
• DES-CBC3-SHA
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-AES128-SHA
• ECDHE-RSA-AES128-SHA256
• ECDHE-RSA-AES256-SHA
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-CHACHA20-POLY1305

The secure ciphers that will continue to be supported:

• AES128-GCM-SHA256
• AES256-GCM-SHA384
• ECDHE-ECDSA-AES128-SHA
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-GCM-SHA384