Authorize.Net Support for SSL/TLS FAQ


Doc ID:    A1623
Version:    4.0
Status:    Published
Published date:    05/09/2017
Updated:    05/09/2017
 

Answer

NOTE: The PCI Data Security Standard requires that merchants discontinue using early TLS (1.0/1.1) for securing their sites, no later than June 30, 2018. In support of this, Authorize.Net is discontinuing support for TLS 1.0/1.1 on September 18, 2017. Please contact your solution provider and web hosting company to confirm that your solution and server fully support TLS 1.2 before or by September 18, 2017. Thank you.

I received an email from Authorize.Net about TLS disablement. What does this mean?
The PCI Security Standards Council recently announced that, as of June 30, 2018, TLS 1.0 (and in some cases, TLS 1.1) will no longer be supported. For details, see the PCI SSC document, Migrating from SSL and Early TLS.

For information on TLS please see, What is Transport Layer Security (TLS) and how does it work?

In preparation for this requirement, Authorize.Net plans to disable TLS 1.0/1.1 on the following dates:

Sandbox: Completed
Production: September 18, 2017

What actions do I need to take?
This will depend on how you are currently processing with Authorize.Net:

Processing using an API - If you are currently taking payments/transactions through a website, shopping cart or other software, you will need to check with your developer or host/solution provider to confirm the API connection favors TLS 1.2 and its supported ciphers.

You and your developer can review our API Best Practices for details about TLS 1.2 platform support, cipher recommendations, and other integration suggestions: https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Request-for-Comments-API-Best-Practices/ba-p/53668

Processing via the Merchant Interface – If you are currently logging into https://account.authorize.net to submit transactions via the Virtual Terminal, Automated Recurring Billing Subscriptions, Customer Profiles or a file upload, you should ensure you have upgraded your browser to a version that supports TLS 1.2. All current versions of all major browsers support TLS 1.2.

To see what browsers support TLS 1.2, please find a list here provided by SSL Labs: https://www.ssllabs.com/ssltest/clients.html

You may also test your current browser using this link: https://www.ssllabs.com/ssltest/viewMyClient.html

I use Simple Checkout, so are there any changes I need to make? No changes are needed, other than ensuring that your customers are using modern/up-to-date browsers to avoid any errors or issues after September 18, 2017.

Does Authorize.Net support SSL? No, Authorize.Net does not support any version of Secure Sockets Layer (SSL), as TLS was the replacement for SSL.

Does Authorize.Net support TLS? Yes, Authorize.Net supports the following TLS protocols:
TLS 1.2 – Supported
TLS 1.1 – End of support scheduled for September 18, 2017
TLS 1.0 – End of support scheduled for September 18, 2017

How can I find out what protocols and ciphers Authorize.Net currently supports? SSL Labs has full reports on the protocol and cipher support of our API endpoints. Please see below for a matrix of reports available, by API endpoint and environment.

 
  Production Sandbox
Transact, Legacy https://www.ssllabs.com/ssltest/analyze.html?d=secure.authorize.net Not Applicable
Transact, Akamai https://www.ssllabs.com/ssltest/analyze.html?d=secure2.authorize.net https://www.ssllabs.com/ssltest/analyze.html?d=test.authorize.net
ANet API, Legacy https://www.ssllabs.com/ssltest/analyze.html?d=api.authorize.net Not Applicable
ANet API Akamai https://www.ssllabs.com/ssltest/analyze.html?d=api2.authorize.net https://www.ssllabs.com/ssltest/analyze.html?d=apitest.authorize.net