Merchant

Gateway

  1. Overview
  2. Core Services
  3. Gateway
  4. Issue

Global Payments Integrated - Merchantware - Planned Change - Disable Weak Cipher Suites

Maintenance Planned

Global Payments Integrated - Merchantware - Planned Change - Disable Weak Cipher Suites

A permanent change to supported cipher suites is scheduled for:

‘Cayan’ MerchantWare (Genius) platform - Thursday, September 19th, 2024, 9:30am UTC

In accordance with evolving security best practices, all Global Payments Integrated customer facing platforms will be updated with a new restrictive list of supported cipher suites. Ciphers are one component determining encryption strength for every connection between merchant POS systems and GP Integrated’s Gateway platforms. A detailed description of cipher suites can be found here.

Currently supported cipher suites include:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

The updated cipher list will restrict available ciphers to only the two denoted below:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

These two cipher suites are widely supported by all major browsers, operating systems and applications. Monitoring of all platforms traffic confirms near 100% of our customers support these ciphers and should not experience any issues after the change.

To be certain, it is recommended you verify cipher support using a tool such as Qualys SSL Labs Client Test.

*The test must be performed from the system(s) connecting to GP Integrated’s platforms to perform transactions and/or access our hosted payment and merchant portal applications.

Relevant information is listed in the Protocol Features - Cipher Suites Section. Your results should be compared to the updated cipher list above to ensure at least one of the listed ciphers matches.

*The hex reference for each cipher (e.g. 0xc030) is provided and is the most accurate way to compare cipher references, as naming formats can vary.

If there are no matching results you will need to contact your appropriate IT support team to assist in remedial action. The most common reasons are:

  1. An outdated or no longer supported operating system, such as Windows 2012/2012R2*. Ensure your systems are running an OS that is still actively receiving security updates, and supports current best practice encryption technologies.
    *Server 2012R2 is supported until Dec. 31st 2024 with an Extended Support License Key

  2. A client side cipher restriction list that does not include the two ciphers listed above.

As a reminder under PCI-DSS Requirement 6, all in-scope systems should be regularly updated with vendor supplied updates. PCI-DSS compliant systems will have support for the above ciphers if enabled.