TLS Merchant Guide

Information for cardholders can be found here: TLS Guide for Cardholders.

Ecommerce Merchants can refer their customers to the above guide

This guide is intended for our customers. As it is technical we recommend that you make your IT staff or website administrator aware of this so that they can perform the necessary checks.

Key Information

What is Happening?

TLS 1.0 will no longer be considered secure enough for PCI standards. We aim to make this change well before the deadline so please check out dates below.

This means we cannot allow connections to our servers using TLS 1.0 protocol. TLS 1.2 will be required to connect to sec.paymentexpress.com.

If you would like to read about this in more detail the PCI Standards Security Council have published a document on the matter. To read it click here.

Dates

Please see out the Status Page for the current scheduled dates:

Does this affect me?

This affects all customers to some degree. Any connection to sec.paymentexpress.com is required to use TLS 1.2 in order to establish connection. Our Payline portal and all Ecommerce products connect via this address.

This includes customers making payments online via our payment pages.

Up-to-date PCs, devices and servers should now have support for TLS 1.2. So this should be a matter of ensuring your servers and other devices have the latest updates applied, and you are not relying on operating systems which are no longer supported.

EFTPOS Customers

For new EFTPOS installations you may find the installer cannot run if you are not on Windows 7 or above.

Our EFTPOS Software has the required TLS1.2 support build right into it, it does not rely on the operating system. So you do not need to worry about your EFTPOS terminal losing the ability to connect to us even if the operating system is outdated.

HIT EFTPOS - if you use a standalone EFTPOS unit that receives transactions via mobile or Wifi connection (our new HIT EFTPOS solution), your Point of Sale device connects to sec.paymentexpress.com to forward transactions to the EFTPOS machine. So please check your Point of Sale device and software is up to date.

Unattended Payment Terminals

Parking machines, vending machines, carwashes

Our SCRcontroller software has TLS 1.2 support built in so it will be fine regardless of the Operating system version. GPRS based devices use port 60 or 65, they do not use HTTPS, so are unaffected. For unattended devices using Ingenico terminals, they connect on port 61 like integrated EFTPOS and do not use HTTPS, so will not be directly affected by this change.

For third party hardware and software connecting to us via HTTPS: Vendors will need to ensure these have TLS 1.2 support in the application they use to connect to us.

Ensuring Device is Ready

PCs and Consumer Devices

PCs and Consumer Devices would generally be used to access Payline (our online portal for merchants) and for making payments online. The information in this section can also be helpful if you have users unable to access your payment page.

Minimum OS with built-in TLS 1.2 support:

Windows 7.

Windows Phone 8.1

Apple Mac OSX 10.9

Apple iOS 5

Android 4.4

For Payline, and making payments online, you only need to ensure your web browser supports TLS 1.2. So even if the operating system does not have the required protocol, downloading a new web browser may be a solution.

The latest versions of Chrome, Firefox and Opera are available for popular operating systems including mobile devices, and include TLS 1.2 support.

To easily check if a device or browser you are using is prepared for this change, you can simply open this link in the browser you’d like to check and it will show you the result:https://sec.paymentexpress.com/pxmi3/tlscheck

For Servers and Devices using other Payment Express Software

This section is aimed and developers and server administrators. This concerns all servers/devices used to interface with Payment Express software and APIs ranging from Ecommerce payments such as PxPay to batch payment solutions such as PxBatch and 3rd party solutions which connect to us. Not EFTPOS.

If you do not ensure your server software is able to support TLS 1.2, then you will be unable to connect to Payment Express for processing transactions.

Minimum OS with built-in TLS 1.2 support:

Windows 7

Windows Server 2008 R2

Note in Windows 7 and Windows server 2008 R2 TLS 1.2 may not be enabled by default, please see section 3 "Enabling TLS 1.2 on Windows machines".

We have seen a small number of merchant website Payment Express integrations that hardcode the connection to a specific protocol. If you have a custom solution we recommend asking your developer to check that you are not hardcoded to TLS 1.0. It is best to allow it to automatically use the most secure protocol available - failing that, hardcode it to TLS 1.2.

We are unable to provide specific advice for all server operating systems and software out there, we highly recommend doing research online to ensure the software you use will support TLS 1.2

Note that customers accessing your PxPay / PxFusion payment page are affected by this change too, for assisting them see section 2.1 "PCs and Consumer devices" section above.

You can use the native browser of your sever(EG, Internet Explorer for Windows) to check if it is ready in the same way as you would for any other device, using our TLS checker:

Please be aware that some applications may have their own SSL/TLS protocols built into their code and will not use the built-in operating system API, this checker cannot take that into account.

Payment Express PxBat4, PX2 and DPSAuthSSL use the Windows APIs, if you use them then you can use Internet Explorer for this test.

Enabling TLS 1.2 on Windows Machines

On some Windows machines TLS 1.2 may be supported but disabled.

  1. In Internet Explorer, go to Tools -> Internet Options -> Advanced
  2. Scroll to the Security section at the bottom
  3. Enable TLS 1.2
  4. Click OK

Setting

For Windows Server 2008 R2 and IIS

For servers hosting websites via IIS you may need to perform the below steps in addition to the steps above.

Please only follow these steps if you are experienced in editing the Windows registry. This is risky. Changes you make here are immediate and there is no undo option. Recommend you back up the registry first.

  1. Open the registry editor - Start -> Run -> type in Regedit.exe
  2. Browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  3. Right click on the Protocols folder, select 'New' and then 'Key' from the drop-down menu. Name the new folder: TLS 1.2.
  4. Add two new keys in this folder with the following names: Client; Server
  5. Right click on the Client key, select New -> DWORD (32-bit) Name the DWORD: DisabledByDefault.
  6. Right-click DisabledByDefault, select Modify. Set value to 0, ensure the Base is Hexadecimal
  7. Create a second DWORD. Name it Enabled and set the value to 1. Again ensure the Base is Hexadecimal.
  8. Perform steps 5 to 7 for the server key.
  9. You need to reboot the server for this to apply

End result should look like this:

Reg Setting

Support

If you have any concerns or queries regarding these changes, please contact our support team who are here to help.