Showing results for 
Search instead for 
Did you mean: 

Impact of TLS 1.2 Requirement when using Hosted Payment Form (SIM)

My client has an application that uses the Server Integration Method (SIM) aka "Payment Form" to accept credit card payments via the hosted form rather than handling payment data within the application.


They received a notice about the need to transition to TLS 1.2 but, based on the following excerpt from the SIM Guide, I do not believe any changes are required. Am I correct that no change is needed for the SIM Hosted Payment Form?


Excerpt from SIM Guide: SIM is an ideal integration solution because merchants are not required to collect, transmit, or store sensitive cardholder information to process transactions. Additionally,
SIM does not require merchants to purchase and install a SSL or TLS digital certificate,
reducing the complexity of securely handling and storing cardholder information,
simplifying compliance with the Payment Card Industry (PCI) Data Security Standard.


Thanks in advance for any responses.


Yes, you are right. Since the form is hosted in Anet Servers, you should just be able to access.

TLS change would affect to the users who are accessing APIs using XML( endpoints.

Authorize.Net Expert Authorize.Net Expert
Authorize.Net Expert

Hello, the SIM method is deprecated(in the process of being phased out), replaced by the Accept Hosted method:


After February 28, a TLS 1.2 connection will be required to communicate or interact with API servers.  This upgrade is mandated for all payment processors by the The Payment Card Industry Security Standards Council (PCI SSC) due to the existence of the POODLE and Heartbleed exploits, among others, which prove that anyone using SSL and early TLS risks being breached.

Powered by -
Certified developers
Trusted Contributor

Thank you so much for your response :)

Thank you for your response. Can you tell me what your answer would be to my original question if I update to Accepted Host method?

Depending on your server environment, you may not need to make any modifications. The Sandbox has only been accepting TLS 1.2 connection for a while. If you are able to create transactions or display the Hosted Payment Form from the Sandbox, then you don't need to make any modifications. Otherwise, in most cases, with a modern server, the upgrade to support TLS 1.2 is simple and beneficial to your system and business for many reasons in addition to processing payments.  

Powered by -
Certified developers

Thank you!

We got affected by the system shutdown on Feb 8 although we are using the Accept Hosted integration which is considered to be the latest integration. Can someone please explain -



As per the guideline below SIM integration needs to be changed to Accept Hosted or Accept.js; which we have converted to Accept Hosted using the Hosted Payment Form.


As per Accept Hosted API main page here the first step is to get the form token using "getHostedPaymentPageRequest" and for that you have to hit the endpoint (the same endpoint is supposed to get affected by TLS 1.2 upgrade as said by the expert user "bhav" above in the thread). I got this endpoint from this reference at the very top of the page.



Question 1: We are sending direct CURL post to the endpoint to get the form token and then the hosted form is sent to to charge the customer. I want to know if we use the PHP SDK to get the form token instead of using the direct CURL post will that work after Feb 27, 2018? As the user "bhav" describes will be obsolete and we can't make any direct CURL post to that URL? If PHP SDK will not be a future solution then what would be the alternative solution? I'm referring to the PHP SDK sample code here:

Question 2: Accept.js - We've been able to load the "Payment Nonce" using both the personal and hosted payment form using the Accept.js. Now to charge the customer card we have to use the payment nonce in the "createTransactionRequest" which is again pointing to if we use direct CURL post. I want to know same here, if we use the PHP SDK instead will that be future proof to use after Feb 27? I'm referring to the PHP SDK sample code here:



In other words I'm wanting to know if the PHP SDK uses the endpoint internally and if there is risk in using the PHP SDK too?