Fiserv is updating cipher support for TLS 1.2 connections to all subdomains of api.payeezy.com domain to improve connection security for all clients. This is a corporate-wide, global change for any clients consuming our API services hosted on Apigee.
|TEST||api-test.payeezy.com||February 11th 2021||Completed|
|CAT||api-cat.payeezy.com||March 3rd, 2021||Scheduled|
|CERT||api-cert.payeezy.com||March 10th, 2021||Scheduled|
|PROD||api.payeezy.com||May 19th, 2021||Scheduled|
The changes are being made to update cipher support for all TLS 1.2 connections.
To help our clients ensure readiness for the change, this document will explain the details of the change and how they may validate their client TLS 1.2 configurations ahead of the changes. In our testing to-date, clients who are using up-to-date TLS security libraries should not see any impact with the changes.
- TLS 1.2 cipher suite updates – Each year Fiserv cyber security, networking, and risk teams evaluate and publish an updated list of approved TLS 1.2 ciphers. It’s up to each application and/or platform to make the updates in a way that minimizes impact to our clients. Any client requests that work today will work tomorrow unless using one of the two ciphers in red below which are being deprecated due to identified security vulnerabilities. The two ciphers in black are supported today and will continue to be supported. The 2 new ciphers listed in green will be added to provide more options.
- 2 currently supported TLS 1.2 cipher suites will be deprecated (no longer supported).
- 2 currently supported TLS 1.2 cipher suites will be maintained (still supported).
- 2 new (additional) TLS 1.2 cipher suites will be supported.
- Below list summarizes deprecated (red), maintained (black), and new (green) TLS 1.2 cipher suites for 2020.
Below list summarizes deprecated (red), maintained (black), and new (green) TLS 1.2 cipher suites for 2021 for all legacy domains (payeezy, firstdata, ipg-online):
OpenSSL name == IANA Name
- DHE-RSA-AES256-GCM-SHA384 == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- DHE-RSA-AES128-GCM-SHA256 == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- ECDHE-RSA-AES256-GCM-SHA384 == TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE-RSA-AES128-GCM-SHA256 == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ECDHE_RSA_WITH_AES_256_CBC_SHA384 == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- ECDHE_RSA_WITH_AES_128_CBC_SHA256 == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Non-prod TLS 1.2 client connectivity validations by all Merchants/Clients against any proxy endpoints supported by any TEST, CAT, or CERT subdomain(s) below will be required following TLS 1.2 cipher updates in those environments and prior to PROD change planned for 5/19/2021 to confirm current client TLS configurations support at least one of updated list of supported ciphers.
Merchants/Clients may validate TLS connectivity for their client systems against any API endpoints supported by Payeezy API non-prod subdomains and/or dedicated healthcheck endpoints below.
|Environment||Payeezy API Subdomain||Healthcheck Endpoint|
Successful (expected) Healthcheck Response:
Based on above non-prod validations, a small number of Merchants/Clients may be required to update their client TLS configurations.
These client TLS config updates only required if (1) currently using one of deprecated ciphers AND (2) client TLS configurations do not already support one of other, approved supported ciphers.
- Fiserv needs to make the changes ASAP for security compliance. Production will be implemented by 5/19/2021.
- TLS 1.2 cipher updates in CERT will be implemented 3/10/2021 starting 11 PM ET. The changes are expected to take less than 60 mins and there’s no expected outages during the period while we make and validate the changes.
- TLS 1.2 cipher updates in PROD will be implemented 5/19/2021 at time selected to minimize impact for all current clients, to be determined following CERT updates.
- We are very open to testing with any client as soon as they are ready. We will spend the entire night on client support calls to help validate the changes on off hours as to not interrupt normal testing.
- That said, if you can’t successfully test against the healthcheck service ahead of time, then your first time testing will be once the changes are made. The request from this communication is for you to provide feedback on your ability to support our changes and if you’d like to test on the off-hours to ensure a seamless rollout.