Had an email from Sagepay this morning stating all servers must be able to use TLS 1.2 from March 2018.
Just thought Id post here in case anyone who uses Sagepay in UK has missed it.
Notification - TLS 1.2 Security update
Hello,
Sage Pay are committed to ensuring the highest levels of security across all our systems. With this in mind, we’re upgrading the protocols that are used to secure all external connections to our systems to the latest and safest. We contacted you in November to let you know of these imminent changes to the protocols. The updates to our Test Server connections were completed in January as planned.
This is not an action Sage Pay is taking alone, all websites that send or process credit card data will be making this change to protocol Transport Layer Security 1.2 (TLS 1.2). This will become mandatory for communication with Sage Pay.
The next steps are to make the same changes to our Live Server in March 2018. Please see below for a reminder of the key information about the action you need to take to prevent disruption to your payment processing and the important dates.
What is TLS?
When your server connects to a Sage Pay server to process a transaction, Transport Layer Security (TLS) protocol encrypts the communications to keep them safe from malicious activity.
You or your developer can find out which TLS protocol your website uses by
entering your domain on a website like www.ssllabs.com
Am I impacted?
If you use “Sage Pay Server†or “Sage Pay Direct†Integration to process ecommerce payments you will need to ensure your systems use TLS 1.2 before the deadline dates below.
When your server connects to a Sage Pay server to process a transaction, Transport Layer Security (TLS) protocol encrypts the communications to keep them safe from malicious activity.
When will the changes happen?
To avoid any disruption to Live Payments, your systems will need to be ready for this change by 31st March 2018.
Why are you making these changes?
The PCI Security Council sets the rules on which technologies are acceptable for use in sending cardholder data. They have identified TLS 1.0 or 1.1 as no longer acceptable.
We understand that technical information of this nature can seem daunting, please pass the information above to your development team, web hosting provider or e-commerce software provider if you are unsure.
Regards,