Hi,
I received an email about "Important TLS Disablement Notice" and wanted to double check who this affect.
This is something that only affects customer that are connecting to Authoize.net from theirs servers using for example the Advanced Integration Method method.
But for example in Direct Post Method the payment information goes directly from customer PC to Authorize.Net servers.
And so if we are connecting using the Direct Post Method where the payment doesn’t go through the merchants server then this would not affect us. Is that correct?
If that is correct what about relay response page. Is there any scenario where this could affect that.
Thanks
Solved! Go to Solution.
05-05-2017 07:33 PM
Thanks I guess I'll have to let our vendor know to test this.
But I would love an explanation of this. Specially since this will cost money to test by our vendor.
Seems like in DPM method the connecton is between the user who might be in china and authorize.net.
As long as the guy in china has TLS 1.2 enabled in their browser it should work.
I don't get it. What would I be testing?
The connection doesn't come to our server.
05-05-2017 07:58 PM
Hello @kk
The change affects endpoints and API Method including AIM and CIM using NVP, XML or JSON. The developer sandbox is ready for testing and only support a TLS 1.2 connection only.
Richard
05-05-2017 07:43 PM - edited 05-05-2017 08:34 PM
Thanks I guess I'll have to let our vendor know to test this.
But I would love an explanation of this. Specially since this will cost money to test by our vendor.
Seems like in DPM method the connecton is between the user who might be in china and authorize.net.
As long as the guy in china has TLS 1.2 enabled in their browser it should work.
I don't get it. What would I be testing?
The connection doesn't come to our server.
05-05-2017 07:58 PM
When using Direct Post Method (DPM), your server generates the form where your customers enter thier credit card information which must be an HTTPS page secured with TLS 1.2 in order to be PCI compliant. If it's not, an attacker could modify the page as it is sent to the user and change the form submission location or insert JavaScript which steals the customer's information as it is typed.
By the way, with the release of Accept.js, the DPM is considered to be deprecated - now obsolete and in the process of being phased out.
05-06-2017 06:17 AM - edited 05-06-2017 06:20 AM
Thank you for your replies.
Should a website be tested using DPM now in an effort to determine TLS 1.2 compatibility? Or is DPM compliant? I understand it is deprecated although the transition to accept.js could happen after the deadline, correct? (if it is TLS 1.2 compliant) What I am truly asking, is DPM compatible with TLS 1.2?
05-24-2017 07:34 PM