Sec Pay, the API provider for the popular Pay Point payment gateway service has announced that after April 1st this year it will only support TLS v1.2. This is important for anyone still using Windows Server 2003 / Server 2008 (NON R2) or CentOS 5/RHEL 5 as there’s currently no support for TLS v1.2 in those operating systems. Basically, if you take payments on your website via a payment gateway, you may need to take action to ensure that your site stays secure and continues to function.
After April 1st, the only version of Transport Layer Security (TLS) Sec Pay will support is 1.2. This definitely affects the payment provider Pay Point, but more may be discovered to be affected in the coming weeks.
These providers are used to take payments, both online and in shops (e.g. when you pay with your card in a newsagents, the system you’re using could be something like Pay Point).
What is TLS?
Transport Layer Security (TLS) is a later version of SSL and helps encrypt information to send it securely over the internet.
Windows users – this is for you!
If you’re wondering why this can’t be fixed in Windows Server 2003 / Server 2008 (NON R2), no patches or support have ever been released by Microsoft to provide the support needed for TLS 1.2.
We have been in contact with Microsoft directly to ask if they will be working on this but as yet haven’t received a definitive answer.
Linux users – this is your jam!
If you’re wondering why it can’t be fixed in CentOS 5 / RHEL 5, we asked Red Hat and they replied:
“We did have the inclusion of TLS 1.2 tracked in an internal feature request and it was denied. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. It is impossible to update openssl to support TLS v1.2 in RHEL-5. A separate stack of packages would have to be created to implement this RFE and this would not be manageable and maintainable for RHEL 5 in phase 3 of its life cycle:”
In simple terms, it’s too much work to fix this in an operating system that was initially released in 2007.
What does this mean for you?
If you use a payment gateway the version of TLS you use may no longer be supported (this is definitely the case if you use Pay Point/Sec Pay), which could mean you will be unable to process payments after 1st April.
The simplest thing to do is contact your payment provider to find out if they will only be supporting TLS 1.2 in the future; however, this is also an opportunity to upgrade and ensure you have the most up-to-date supported tech.
**UKFast clients please note that you will receive an email if we believe this affects you, but if you are still concerned you should also contact your payment provider.**
UPDATE: Sec Pay has just confirmed that it is no longer planning on enforcing TLSv1.2 from April, and will continue to accept connections over TLS1, at least in the short term. This means that EL5 and versions of Windows previously thought to be affected will not be at risk at this time, barring any unforeseen errors. We recommend monitoring Sec Pay for further information on the situation.
We’ll be talking to our customers about this, but if you’re not already a UKFast customer and want to know more give us a call on 0208 045 4945!