• What version of TLS does Authorize.net support?
• How can I find out what protocols and ciphers Authorize.net supports? 
• What are the current Best Practices that should follow for browser and/or setting up a new server-to-server that relies on TLS to secure the connection? 
•  What actions do I need to take?

 

What version of TLS does Authorize.net support?

Authorize.net supports the following TLS protocols:

• TLS 1.2 - Supported
• TLS 1.3 - Supported but only Portals - API support will be added in the future.

 

How can I find out what protocols and ciphers Authorize.net supports? 

ECDHE GCM are preferred ciphers to be used, for a full list/report SSL Labs report can be run to see and verify TLS version and ciphers supported. Please see below for a list by API endpoint and environment and link to the report.

• Transact
  • Production
    • https://www.ssllabs.com/ssltest/analyze.html?d=secure.authorize.net&hideResults=on
    • https://www.ssllabs.com/ssltest/analyze.html?d=secure2.authorize.net&hideResults=on
  • Sandbox
    • https://www.ssllabs.com/ssltest/analyze.html?d=test.authorize.net&hideResults=on
    •  
• ANET API
  • Production
    • https://www.ssllabs.com/ssltest/analyze.html?d=api.authorize.net&hideResults=on
    • https://www.ssllabs.com/ssltest/analyze.html?d=api2.authorize.net&hideResults=on
  • Sandbox
    • https://www.ssllabs.com/ssltest/analyze.html?d=apitest.authorize.net&hideResults=on

 

What are the current Best Practices that should follow for browser and/or setting up a new server-to-server that relies on TLS to secure the connection? 

At this time only TLS 1.2 should be used. Earlier versions are no longer supported. With TLS 1.2 protocol, any modern cipher suites maybe used to initiate the secure handshake but there are some preferred configurations:

• ECDHE GCM ciphers are preferred.
• Perfect Forward Secrecy (PFS) cipher suites are preferred but not required.
• Keyed hash functions must be used with either SHA-2 or SHA-3. SHA-1-based functions are not allowed.
• Authenticated encryption modes (e.g. AES GCM, ChaCha20-Poly 1305) modes must be preferred first over other AES modes (e.g. AES-CBC).

 

What actions do I need to take?

This will depend on how you are currently processing transactions with Authorize.net:

• Processing using API or SDK - If you are currently taking payments/transactions through a website, shopping cart, or other software, you will need to check with your developer or host/solution provider to confirm your web site is connecting through TLS 1.2 and supported ciphers.
  • For SDK users please ensure that you have pulled and are using the most recent update for any SDK via Github and that TLS 1.2 is enabled and being used.
  • You may see what your website/shopping cart or server supports using such sites as: https://www.howsmyssl.com/ or https://www.ssllabs.com/ssltest/
• Processing visa Simple Checkout or Invoicing - If you currently use our Simple Checkout (HTML generated buy now buttons) or Invoicing service (generate email invoices for payment), there are no changes needed. As these products rely on the customer's web browser, as long as the customers are using up-to-date browsers they will not encounter any errors related to TLS of Cipher support.
• Processing via the Merchant or Partner Interface - If you are currently logging into https://account.authorize.net or https://login.authorize.net or https://partner.authorize.net you should ensure you have upgraded your browser to a version that supports TLS 1.2.
  • You may also test your current browser using sites such as: https://www.ssllabs.com/ssltest/viewMyClient.html or https://www.howsmyssl.com/
  • To see what browsers support TLS 1.2, please find a list here provided by SSL Labs: https://www.ssllabs.com/ssltest/clients.html
  • See Supported Browsers, for what browsers and version Authorize.net supports.