mPAY24 Security Upgrades in 2017

We would like to inform you that we need to upgrade our security standards due to inherent PCI guidelines from the credit card institutes MasterCard and VISA.

1. Disable TLS 1.0 & RC4 Cipher on 20th February 2017

In a Nutshell

Merchants and partners use HTTPS to securely connect with mPAY24 servers. We use the Transport Layer Security (TLS) protocol to encrypt these communications. To increase the security of our systems and adhere to industry best practices, mPAY24 is updating its services to require TLS 1.1 or TLS 1.2 for all HTTPS connections. To avoid any disruption of service you must verify that your systems are ready for this change by February 20th, 2017.

What do you need to do?

Do you have a hosting provider?

=> Yes: Please contact your hosting provider to ensure they support TLS 1.1 or TLS 1.2.

=> No: Does your system already support TLS 1.1 or TLS 1.2? (Please see technical details below for how to verify this).

Does your system support TLS 1.1 or TLS 1.2?

=> Yes: Great! No action is required.

=> No: Please upgrade your system for TLS 1.1 or TLS 1.2 support.

Have you hard-coded an earlier version of TLS?

=> Yes: Please update your code to always use the latest version of TLS.

=> No: Great! No action is required.

Technical Details:

Our test systems are already configured!

The mPAY24 test endpoints have been configured with the latest security standards to which the production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards prior to the production endpoints getting updated. These endpoints only allow TLS 1.1 or TLS 1.2 connections: test.mpay24.com

Verify your systems:

mPAY24 recommends to verify if your system supports TLS 1.1 or TLS 1.2 at https://www.ssllabs.com/ssltest/analyze.html. You have to enter your hostname in the form input field that is connecting to mPAY24. (Attention! Please make sure to activate the "Do not show the results on the boards" box!). After some time you will get an overview of your server security level. If you have a rating of A you are fine. No further action is required. If you get a rating different than A you need to find out if it has to do with protocol usage. If you get the information that your server supports only older protocols, but not the current best TLS 1.2 then you need to update your system:

tls_rc4_1

You can also look into the protocol section and check if TLS 1.1 and TLS 1.2 is enabled. If it is in the list and listed as ‚YES’ you are done. If not please update your system to support the latest TLS versions:

tls_rc4_2

Second thing to look out is RC4 within the section Protocol Details. RC4 should be marked as not in use:

tls_rc4_3

2. Upgrade Diffie Hellman on 20th March 2017

In a Nutshell

Merchants and partners use HTTPS to securely connect with mPAY24 servers. We use different key exchange procedures to securely exchange keys between mPAY24 servers and merchant servers. To increase the security of our systems and adhere to industry best practices, mPAY24 is updating its services to only allow Diffie Hellman keys with a bit length bigger or equals to 2048 for all HTTPS connections. To avoid any disruption of service you must verify that your systems are ready for this change by March 20th, 2017.

What do you need to do?

Do you have a hosting provider?

=> Yes: Please contact your provider to ensure they support DH key length >= 2048.

=> No: Does your system already support DH >=2048? (Please see technical details below for how to verify this).

Does your System support DH >= 2048 or does it use other key exchange algorithms?

=> Yes: Great! No action is required.

=> No: Please upgrade your system for DH >=2048 support.

Technical Details:

Our test systems are already configured!

The mPAY24 test endpoints have been configured with the latest security standards to which the production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards prior to the production endpoints getting updated. These endpoints only allow connections with DH >= 2048: test.mpay24.com

Verify your systems:

mPAY24 recommends to verify if your system supports DH >=2048 at https://www.ssllabs.com/ssltest/analyze.html. You have to enter your hostname in the form input field that is connecting to mPAY24. (Attention! Please make sure to activate the "Do not show the results on the boards" box!). After some time you will get an overview of your server security level. If you have a rating of A you are fine. No further action is required. If you get a rating different than A you need to find out if it has to do with key exchange.

Within the summary you will get the information that the server supports weak Diffie-Hellman (DH) key exchange parameters. If you can see this message please update your system to higher key exchange length:

dh_1

Details can be found in the Cipher Suites:

dh_2

3. Upgrade to TLS 1.2 on 3rd July 2017

In a Nutshell

Merchants and partners use HTTPS to securely connect with mPAY24 servers. We use the Transport Layer Security (TLS) protocol to encrypt these communications. To ensure the security of our systems and adhere to industry best practices, mPAY24 is updating its services to require TLS 1.2 for all HTTPS connections. To avoid any disruption of service you must verify that your systems are ready for this change by July 3rd, 2017

What do you need to do?

Do you have a hosting provider?

=> Yes: Please contact your provider to ensure they support TLS 1.2 or higher.

=> No: Does your system already support TLS 1.2 or higher? (Please see technical details below for how to verify this).

Does your System support TLS 1.2 or higher?

=> Yes: Great! No action is required.

=> No: Please upgrade your system for TLS 1.2 or higher support.

Note: To avoid having to make versioning changes reactively in the future, we recommend that you code your system to always negotiate using the highest possible version.

Technical Details:

Our test systems are already configured!

The mPAY24 test endpoints have been configured with the latest security standards to which the production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards prior to the production endpoints getting updated. These endpoints only allow TLS 1.2 connections: test.mpay24.com

Verify your systems:

mPAY24 recommends to verify if your system supports TLS 1.2 at https://www.ssllabs.com/ssltest/analyze.html. You have to enter your hostname in the form input field that is connecting to mPAY24. (Attention! Please make sure to activate the "Do not show the results on the boards" box!). After some time you will get an overview of your server security level. If you have a rating of A you are fine. No further action is required. If you get a rating different than A you need to find out if it has to do with protocol usage. If you get the information that your server supports only older protocols, but not the current best TLS 1.2 then you need to update your system:

tls2_1

You can also look into the protocol section and check if TLS 1.2 is enabled. If it is in the list and listed as ‚YES’ you are done. If not please update your system to support the latest TLS versions:

tls2_2

4. Upgrade SSL certificate on 7th November 2017

In a Nutshell

Merchants and partners use HTTPS to securely connect with mPAY24 servers. We use certificates from VeriSign to establish a secure communication. Our existing certificate has a lifespan of two years and ends on 3rd January 2018. To avoid any disruption of service you must verify that your systems are ready for this change by November 7th, 2017.

What do you need to do?

We already moved to the new SHA-256 algorithms and the new root certificate from VeriSign last year. So in most cases you do not need to take any action. Only if you know that you need to import certificates of partner systems then you need to add the new certificate from mPAY24 after October 3rd. In this case please send us an e-mail to retrieve the new certificate from us at support@mPAY24.com.

Technical Details:

Our test systems will be ready from 3rd October 2017

The mPAY24 test endpoints will be configured with the new certificate on 3rd October 2017. It will be the same certificate that will be used in production endpoints at 7th November 2017. You can use these endpoints to verify that your code supports the required standards prior to the production endpoints getting updated: test.mpay24.com