We will be retiring the use of Transport Layer Security (TLS) 1.0 on September 20, 2018 in accordance with the requirements of the PCI Security Standards Council (PCI SSC). In order to ensure proper access to all of our websites, including FirstView & the Daily Dashboard, and any API integrations with no interruptions, an update to web browsers and platforms supporting TLS 1.1 or 1.2 must be completed before the September 20 deadline. 

Below you will find additional information relevant to the requirement change. Your action is required to facilitate this update before September 20.

To test your browser to determine if it is compatible, click here and view the Protocol Support box: https://www.ssllabs.com/ssltest/viewMyClient.html

Questions?
If you have further questions about this transition after reading the information below, please use the form at the bottom of the page to contact us.

Overview

 

What is TLS 1.0?
Transport Layer Security (TLS) is the most widely deployed security protocol used today. There are currently three versions in use today: TLS 1.0, 1.1, 1.2. TLS 1.0 originated in 1999 as a replacement for SSL V3 and is now being depreciated globally. 

Internet browser sessions, as well as API connections, utilize TLS to ensure data integrity and confidentiality.

 

What is changing?
Starting August 14, 2018, TLS 1.0 will be disabled across the organization. Any connection made over TLS 1.0 will fail (Internet browser sessions and API integrations). 1.0 will need to be disabled in order to connect to us in any way.

Why is this changing?
TLS 1.0 is no longer considered a secure form of communication. The protocol is vulnerable to man-in-the-middle attacks which compromise the data integrity and confidentiality. Because of this, PCI standards mandate that TLS 1.0 can no longer be a form of compliant communication and must be depreciated. The PCI Council will officially depreciate TLS 1.0 on August 14, 2018. 

In order to provide the maximum level of security for our partners and merchants, we will be abiding by these requirements and will begin enforcing them June 30, 2018. 

What actions need to be taken?
The following actions need to be taken prior to August 14, 2018 in order to ensure that browsers and API’s do not have any interruptions in connectivity with our sites or systems. 

  • Ensure that Browsers have TLS 1.0 disabled and that you are using a compatible browser
  • Ensure that any API’s used are built on a compatible platform 

Below are two tables that list all compatible browsers, platforms, and libraries.

 

Internet Browsers
You need to ensure that your Internet browser is compatible with TLS 1.1 or higher. The following table displays the browsers that are compatible as well as instructions on how to disable/enable 1.0, 1.1, and 1.2:

 

Browser

Compatibility Notes

Microsoft Internet Explorer (IE)

 

Desktop and Mobile IE version 11

Compatible with TLS 1.1 or higher by default
If you see the "Stronger security is required" error message, you may need to turn off the TLS 1.0 setting in the Internet Options > Advanced Settings list.

 

Desktop IE versions 8, 9, and 10

Compatible only when running Windows 7 or newer, but not by default. Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.1 or TLS 1.2.

Desktop IE versions 7 and below

Not compatible with TLS 1.1 or higher encryption.

Mobile IE versions 10 and below

Not compatible with TLS 1.1 or higher encryption.

Microsoft Edge

Compatible with TLS 1.1 or higher by default.

Mozilla Firefox

 

Firefox 27 and higher

Compatible with TLS 1.1 or higher by default.

Firefox 23 to 26

Compatible, but not by default.
Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2.

Firefox 22 and below

Not compatible with TLS 1.1 or higher encryption.

Google Chrome

 

Google Chrome 38 and higher

Compatible with TLS 1.1 or higher by default.

Google Chrome 22 to 37

Compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile).

Google Chrome 21 and below

Not compatible with TLS 1.1 or higher encryption.

Google Android OS Browser

 

Android 5.0 (Lollipop) and higher

Compatible with TLS 1.1 or higher by default.

Android 4.4 (KitKat) to 4.4.4

May be compatible with TLS 1.1 or higher. Some devices with Android 4.4.x may not support TLS 1.1 or higher.

Android 4.3 (Jelly Bean) and below

Not compatible with TLS 1.1 or higher encryption.

Apple Safari

 

Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher

Compatible with TLS 1.1 or higher by default.

Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below

Not compatible with TLS 1.1 or higher encryption.

Mobile Safari versions 5 and higher for iOS 5 and higher

Compatible with TLS 1.1 or higher by default.

Mobile Safari for iOS 4 and below

Not compatible with TLS 1.1 or higher encryption.

 

API Integrations

If you communicate with our systems via API, then you need to ensure that the platform or library that you are running is compatible with TLS 1.1 or higher. The following table displays all platforms and libraries that are compatible with higher versions of TLS, as well as instructions on disabling/enabling 1.0, 1.1, and 1.2:

 

Platform or Library

Compatibility Notes

Java (Oracle)

 

Java 8 (1.8) and higher

Compatible with TLS 1.1 or higher by default.

Java 7 (1.7)

Enable TLS 1.1 and TLS 1.2 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 and TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible.

Java 6 (1.6) update 111 and higher

Enable TLS 1.1 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. This Java 6 update and newer updates are not publicly available and require a support contract for Java 6 from Oracle

Java 6 (1.6) and below (publicly available version)

Not compatible with TLS 1.1 or higher encryption. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible.

Java (IBM)

 

Java 8

Compatible with TLS 1.1 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS").

Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher

Enable TLS 1.2 using the https.protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true.

.NET

 

.NET 4.6 and higher

Compatible with TLS 1.1 or higher by default.

.NET 4.5 to 4.5.2

.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below.

Option 1:
.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:
It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.0

.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 3.5 and below

Not compatible with TLS 1.1 or higher encryption

Python

 

Python 2.7.9 and higher

TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled.

Ruby 1.9.3 and below

Not compatible with TLS 1.1 or higher encryption

Ruby

 

Ruby 2.0.0

TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled.

Ruby 1.9.3 and below

The :TLSv1_2 symbol does not exist in 1.9.3 and below, but it is possible to patch Ruby to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher.

Microsoft WinINet

 

Windows Server 2012 R2 and higher Windows 8.1 and higher

Compatible with TLS 1.1 or higher by default.

Windows Server 2008 R2 to 2012 Windows 7 and 8

Compatible by default if Internet Explorer 11 is installed. If Internet Explorer 8, 9, or 10 is installed, then TLS 1.1 and TLS 1.2 will need to get enabled by the user or an administrator for compatibility. Review the Enabling TLS 1.1 and TLS 1.2 in Internet Explorer article to enable TLS 1.1 or higher encryption.

Windows Server 2008 and below Windows Vista and below

Not compatible with TLS 1.1 or higher encryption.

Microsoft Secure Channel (Schannel)

 

Windows Server 2012 R2 and higher Windows 8.1 and higher

Compatible with TLS 1.1 or higher by default.

Windows Server 2012
Windows 8

TLS 1.1 and TLS 1.2 are disabled by default, but are available if enabled by an application. TLS 1.1 and TLS 1.2 can be enabled by default within the registry. Those registry settings are also available as a registry import file

Windows Server 2008 R2
Windows 7

Compatible by default in client mode when Internet Explorer 11 is installed. If Internet Explorer 11 is not installed or if Salesforce needs to connect to a service running on this type of system, then TLS 1.1 and TLS 1.2 can be enabled by default within the registry. Those registry settings are also available as a registry import file

Windows Server 2008 and below Windows Vista and below

Not compatible with TLS 1.1 or higher encryption.

Microsoft WinHTTP and Webio

 

Windows Server 2012 R2 and higher Windows 8.1 and higher

Compatible with TLS 1.1 and TLS 1.2 by default

Windows Server 2008 R2 SP1 and 2012 Windows 7 SP1

With KB3140245 applied, Webio is compatible by default, and WinHTTP can be configured via registry settings to enable TLS 1.1 and TLS 1.2.

Windows Server 2008 and below Windows Vista and below

Not compatible with TLS 1.1 or higher encryption

OpenSSL

 

OpenSSL 1.0.1 and higher

Compatible with TLS 1.1 or higher by default.

OpenSSL 1.0.0 and below

Not compatible with TLS 1.1 or higher encryption.

Mozilla NSS

 

3.15.1 and higher

Compatible with TLS 1.1 or higher by default.

3.14 to 3.15

Compatible with TLS 1.1, but not with TLS 1.2.

3.13.6 and below

Not compatible with TLS 1.1 or higher encryption.

Resources:

PCI – TLS 1.0
Test your browser to see if it is compatible with TLS 1.1 or 1.2
Enabling TLS 1.1 or 1.2 on your browser