Security Roadmap

Disabling TLS 1.0, TLS 1.1
Tuesday 17 April 2018 21:00 UTC

(Originally 31st October 2017, this has been rescheduled)


HTTPS protocols TLS 1.0 and TLS 1.1 will be disabled, only allowing TLS 1.2 and above for all HTTPS connections to Payment Express services.

The deprecation of these cryptographic protocols are due to past found security vulnerabilities and for Payment Express to adhere to the Payment Card Industry Security Standards Council rule to no longer support these early TLS cryptographic protocols.

We hope that this change will not cause an inconvenience although at Payment Express we take security seriously and these planned changes will not only benefit the internet security of Payment Express but also our clients.

If you have any queries about this change please contact us.

To assist merchants with testing and preparation, we have applied this change to our UAT test environment (uat.paymentexpress.com) since 29 August 2017. To test in this environment please contact our support team for test accounts if required, and use uat.paymentexpress.com endpoints in place of sec.paymentexopress.com.

Please see the guides below for further detail.

Guides

To further assist with preparing for TLS1.2 we have prepared the following guides.

For merchants:

https://www.paymentexpress.com/tls-merchant-guide

For anyone using the Payline portal or paying via a Payment Express Hosted solution (PxPay or Payform):

https://www.paymentexpress.com/tls-deprecation

You can share this one with your customers as you may have a few customers unable to access the payment page due to this, if their device or web browser is not up-to-date.

Recently completed updates.

SSL Certificate Replacement sec.paymentexpress.com
8pm Sunday the 23rd of July 2017 UTC


We will be replacing our trusted Public certificate used to secure the API endpoints located at https://sec.paymentexpress.com from one trusted certificate provider (Symantec) to another (Digicert) at 8pm Sunday the 23rd of July 2017 UTC

Use the following API that is already using Digicerts certificate chain to test for any potential compatibility issues

https://uat.paymentexpress.com/pxmi3/logon

Digicert is a prominent globally trusted certificate authority meaning you should not need to make any changes to continue accessing sec.paymentexpress.com APIs although you should ensure that your environment trusts Digicerts root and subordinate certificate authority to avoid any complications.

If your application needs to explicitly trust the certificates use the following download links.

Sec.paymentexpress.com

uat.paymentexpress.com

If you have any queries about this change please contact us

Deprecation of Triple DES (3DES) cipher
8pm Tuesday the 22nd of August 2017 UTC


We will be deprecating the support of the 3DES cipher for encrypting data using a HTTPS connection for all front-end web servers at Payment Express at 8pm Tuesday the 22nd of August 2017 UTC.

Referred to as “Sweet32” this “birthday attack” can recover secure http cookies during a long established encrypted 3DES session. These secure cookies once obtained could hold sensitive information such as your personal passwords, credit card information that can be used for fraudulent means.

The impact of this change should be minimal as it currently only affects 1% of all traffic to our web front end servers although please make sure that your systems are not reliant on this cipher for encrypting traffic.

Select the following API for testing 3DES deprecation.

https://uat.paymentexpress.com/pxmi3/logon

If you have any queries about this change please contact us