Yesterday an SSLv3 vulnerability nick named POODLE (Padding Oracle On Downgraded Legacy Encryption) was revealed by Google researchers (http://www.extremetech.com/computing/192063-google-finds-critical-vulnerability-in-ssl-3-0-called-poodle). SSLv3 is a communication encryption protocol mainly used by older browser versions or server-to-server communication towards Peach Payments.
For merchants it means that payment transactions submitted via SSLv3 could be intercepted and decrypted which causes a potential security threat to shopper data. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3. Some products and older browsers, including Internet Explorer 6 for Windows XP, only use SSLv3.
As there are no remedies for this vulnerability, Peach Payments will no longer support SSLv3 for data security reasons.
The SSLv3 protocol support will be switched off in two steps as follows:
- On the TEST system, in the afternoon today, UTC time.
- On the LIVE system, middle of next week. An update will be sent to you at the beginning of next week with regards to the exact date.
Following actions are required by merchants:
- Merchants need to test their traffic, if they still can send transactions successfully to the TEST system after Peach Payments has blocked SSLv3 protocol by this afternoon.
- In case of errors in transaction submission please switch to TLS encryption and test again.
- Please note: TLS is not affected by the vulnerability and will therefore be used on TEST and LIVE system going forward.
- Merchants are strongly recommended to deny shoppers' access to the checkout page with browsers using SSLv3 and should recommend to them an update of their browser.
The above mentioned actions need to be in place by mid of next week when the SSLv3 protocol support will be switched off for the LIVE system.
Please do contact us for any questions that you may have.
Your Peach Payments Team