Mar
05
Keywords: 

Before April 30 th , 2019 First Data will be making a change to the infrastructure that supports our REST API
gateway. This is a corporate-wide, global change for any clients leveraging our APIs hosted on Apigee.

Environment HTTP Header Date
CAT Host: api-cat.payeezy.com March 10, 2019
CERT Host: api-cert.payeezy.com TBD, before April 30, 2019
PROD Host: api.payeezy.com TBD, before April 30, 2019

The changes are being made to switch traffic to newer infrastructure, update security cipher suites used in TLS
connections and likewise enforce SNI-compliance.
To help our clients ensure they are ready for the changes, this document will explain the details of the changes and
how you can test ahead of the changes. In our testing to-date, clients who are using up-to-date libraries shouldn’t
see any impact with the changes.
Changes:
- Network routing changes – No impact to the client. This is simply updating DNS records and routing traffic
into Apigee through a new route.
- Security cipher suite changes – Each year First Data’s cyber security, networking and risk teams evaluate
and publish an updated list of acceptable ciphers. It’s up to each application and/or platform to make the
updates in a way that minimizes impact to our clients. Any client requests that work today, will work
tomorrow unless using one of the 4 ciphers in red below which are being removed. The ciphers in black
are existing today. The ones listed in green are newly added to provide more options.

OpenSSL name == IANA Name

  • AES128-GCM-SHA256  == TLS_RSA_WITH_AES_128_GCM_SHA256
  • AES128-SHA256 == TLS_RSA_WITH_AES_128_CBC_SHA256
  • AES256-GCM-SHA384 == TLS_RSA_WITH_AES_256_GCM_SHA384
  • AES256-SHA256 == TLS_RSA_WITH_AES_256_CBC_SHA256
  • ECDHE-RSA-AES128-GCM-SHA256 == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • ECDHE-RSA-AES128-SHA256 == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • ECDHE-RSA-AES256-GCM-SHA384 == TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • ECDHE-RSA-AES256-SHA384 == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • DHE-RSA-AES128-SHA == TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • ECDHE-RSA-AES256-SHA == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • ECDHE-RSA-AES128-SHA == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • DHE-RSA-AES128-GCM-SHA256 == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • DHE-RSA-AES128-SHA256 == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • DHE-RSA-AES256-GCM-SHA384 == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • DHE-RSA-AES256-SHA == TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • DHE-RSA-AES256-SHA256 == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

- Server Name Indication (SNI) compliance – For reference, see the article on Wikipedia: Server Name
Indication
Last year when we updated to use TLS 1.2, most clients would have already updated their
solutions with libraries that support SNI.
If, however, there is an issue making the connection, you’ll simply need to add an additional HTTP
header as noted in the table below.

Testing:
- Step 1: The quickest and easiest way to verify if you’re going to be impacted.
You can verify access by issuing this command from any browser, device, or server and get a
simple JSON response
- Request: curl -X GET https://test.api.firstdata.com/healthcheck
- Response: {"status": "OK"}
You can programmatically call the exact same URL. If you can connect and make get the
response, you’re well onto your way.
If you have issues it’ll normally be due to using outdated ciphers, or the library isn’t automatically
adding the Host header.

- Step 2: The official process will be to test your actual code against our INT and/or CAT environments after
we make the changes.
When:
- First Data needs to make the changes ASAP. Production has to be implemented by 4/30/2019.
- We will be setting the date very soon, but since these are our testing platforms, we can’t proceed further
until the changes are made. We have exhausted our internal testing with great success.
- The time of the changes will be 10:30pm ET. The changes are expected to take less than 60 mins and
there’s no expected outages during the period while we make and validate the changes.
- We are very open to testing with any client as soon as they are ready. We will spend the entire night on
client support calls to help validate the changes on off hours as to not interrupt normal testing.
- That said, if you can’t successfully test against the healthcheck service ahead of time, then your first time
testing will be once the changes are made.
The request from this communication is for you to provide feedback on your ability to support our changes and if
you’d like to test on the off-hours to ensure a seamless rollout.

Sincerely,
Payeezy Team