May
11
Keywords: 

Fiserv is updating cipher support for TLS 1.2 connections to all subdomains of api.payeezy.com domain to improve connection security for all clients. This is a corporate-wide, global change for any clients consuming our API services hosted on Apigee.

Timeline:

Environment Domain Date Status
TEST api-test.payeezy.com 13 April 2020 Completed
CAT api-cat.payeezy.com 7 May 2020 Completed
CERT api-cert.payeezy.com 14 May 2020 Scheduled
PROD api.payeezy.com 11 Aug 2020 Scheduled

The changes are being made to update cipher support for all TLS 1.2 connections.
To help our clients ensure readiness for the change, this document will explain the details of the change and how they may validate their client TLS 1.2 configurations ahead of the changes. In our testing to-date, clients who are using up-to-date TLS security libraries should not see any impact with the changes.

Changes:
- TLS 1.2 cipher suite updates – Each year Fiserv cyber security, networking, and risk teams evaluate and publish an updated list of approved TLS 1.2 ciphers. It’s up to each application and/or platform to make the updates in a way that minimizes impact to our clients. Any client requests that work today will work tomorrow unless using one of the 12 ciphers in red below which are being deprecated due to identified security vulnerabilities. The 6 ciphers in black are supported today and will continue to be supported. The 2 new ciphers listed in green will be added to provide more options.

Change Summary:
- 12 currently supported TLS 1.2 cipher suites will be deprecated (no longer supported).
- 6 currently supported TLS 1.2 cipher suites will be maintained (still supported).
- 2 new (additional) TLS 1.2 cipher suites will be supported.
- Below list summarizes deprecated (red), maintained (black), and new (green) TLS 1.2 cipher suites for 2020.

OpenSSL name == IANA Name

  • ECDHE-ECDSA-AES128-SHA256 == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • ECDHE-RSA-AES128-SHA256 == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • ECDHE-ECDSA-AES256-SHA384 == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • ECDHE-RSA-AES256-SHA384 == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • DHE-RSA-AES128-SHA == TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • ECDHE-ECDSA-AES256-SHA == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • ECDHE-RSA-AES256-SHA == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • ECDHE-ECDSA-AES128-SHA == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • ECDHE-RSA-AES128-SHA == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • DHE-RSA-AES128-SHA256 == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • DHE-RSA-AES256-SHA == TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • DHE-RSA-AES256-SHA256 == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • ECDHE-RSA-AES256-GCM-SHA384 == TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • ECDHE-RSA-AES128-GCM-SHA256 == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384 == TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256 == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • DHE-RSA-AES256-GCM-SHA384 == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • DHE-RSA-AES128-GCM-SHA256 == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • DHE-ECDSA-AES256-GCM-SHA384 == TLS_DHE_ECDSA_WITH_AES_256_GCM_SHA384
  • DHE-ECDSA-AES128-GCM-SHA256 == TLS_DHE_ECDSA_WITH_AES_128_GCM_SHA256

Client Validations:
Non-prod TLS 1.2 client connectivity validations by all Merchants/Clients against any proxy endpoints supported by any TEST, CAT, or CERT subdomain(s) below will be required following TLS 1.2 cipher updates in those environments and prior to PROD change planned for 8/11/2020 to confirm current client TLS configurations support at least one of updated list of supported ciphers.
Merchants/Clients may validate TLS connectivity for their client systems against any API endpoints supported by Payeezy API non-prod subdomains and/or dedicated healthcheck endpoints below.

Environment Payeezy API Subdomain Healthcheck Endpoint
TEST api-test.payeezy.com GET https://test.api.firstdata.com/healthcheck
CAT api-cat.payeezy.com GET https://api-cat.payeezy.com/healthcheck
CERT api-cert.payeezy.com GET https://api-cert.payeezy.com/healthcheck

Successful (expected) Healthcheck Response:
{
"status": "OK"
}

Based on above non-prod validations, a small number of Merchants/Clients may be required to update their client TLS configurations.

These client TLS config updates only required if (1) currently using one of deprecated ciphers AND (2) client TLS configurations do not already support one of other, approved supported ciphers.

When:
- Fiserv needs to make the changes ASAP for security compliance. Production will be implemented by 8/11/2020.

- TLS 1.2 cipher updates in CERT will be implemented 5/14/2020 starting 11 PM ET. The changes are expected to take less than 60 mins and there’s no expected outages during the period while we make and validate the changes.
- TLS 1.2 cipher updates in PROD will be implemented 8/11/2020 at time selected to minimize impact for all current clients, to be determined following CERT updates.
- We are very open to testing with any client as soon as they are ready. We will spend the entire night on client support calls to help validate the changes on off hours as to not interrupt normal testing.
- That said, if you can’t successfully test against the healthcheck service ahead of time, then your first time testing will be once the changes are made. The request from this communication is for you to provide feedback on your ability to support our changes and if you’d like to test on the off-hours to ensure a seamless rollout.

Sincerely,

Payeezy Team