TSYS SSL3 to TLS Migration

TSYS notified all partners this week that they are implementing an important mandatory security enhancement that impacts ALL TSYS IP interface users effective January 15, 2015. The change involves a security encryption change within TSYS from the SSL3 method (which has been proven to be susceptible to the POODLE breach) to TLS encryption, which is not vulnerable. This migration has the potential to effect EVER TSYS location you have. Focus POS supports the new TLS 1.2, 1.1 and 1.0 encryption auto negotiating the highest level of encryption however only Windows 7 and newer operating systems support TLS 1.1 and 1.2. We have tested on POS Ready 2009 with IE 8 with SSL 3.0 disabled, TLS 1.0 enabled and was able to get authorizations and settle on our test account. However we will not know the full extent of the migration for a few more days. Like the Chase Partnertech changes we alerted you on yesterday Windows XP and older operating systems will most likely no longer work. We are in contact with TSYS developer support to try and get more details and they have a scheduled webinar on 1/8/2015 we will be attending. Sites using any Datacap products and TSYS/Vital will have to upgrade. Below is a part of Datacap’s release about the migration, information on the TSYS webinar and instructions from Microsoft’s Technet on disabling SSL 3.0.

From Datacap:
All TSYS IP interface users must upgrade to enable TLS usage, and therefore all users of TSYS NETePay, DataTran and IPTran who are not using the latest versions must upgrade to the latest version to be able to continue to process transactions on and after January 15, 2015.

Datacap has requested and is hoping that the TSYS update will be delayed to allow TSYS IP interface users more time to upgrade, but this cannot be assumed, and any extensions that might occur will likely be brief.

Link to full press release:
http://www.datacapsystems.com/press-releases/2014/12/29/action-required-tsys-security-update-requires-datacap-hardwa.html

Disabling SSL 3.0 in IE:

Apply Workarounds
Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available.
• Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer You can disable the SSL 3.0 protocol in Internet Explorer by modifying the Advanced Security settings in Internet Explorer.
To change the default protocol version to be used for HTTPS requests, perform the following steps:
1 On the Internet Explorer Tools menu, click Internet Options.
2 In the Internet Options dialog box, click the Advanced tab.
3 In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available).
4 Note It is important to check consecutive versions. Not selecting consecutive versions (e.g. checking TLS 1.0 and 1.2, but not checking 1.1) could result in connection errors.
5 Click OK.
6 Exit and restart Internet Explorer.

Note After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.

TSYS Webinar:

Event Information
Date: Thursday, January 08, 2015
Time: 1 p.m. EST / 10 a.m. PST
Dial-In Number: 1-866-356-9505
Conference Code: 412 257 2723
Event Number: 742 600 686
Event Password: VAREDU01082015
Registration Link:
http://go.pardot.com/e/30922/7f9ed63b1b132d98bcf8e70cb26fb2/r4sr2/103058549