TLS 1.0 - End of Life

by PCI Booking

On June 30, 2018, TLS 1.0 (an older security protocol used on SSL secure web pages) passed the deadline of when the PCI Council considers it obsolete and a PCI violation.

You can read more details on the PCI Council blog post.

How PCI Booking prepared for this change:

In order to comply with all PCI-DSS 3.1 guidelines, PCI Booking ceased support of TLS 1.0 (an older version of SSL) on June 1st, 2018.

Since this date, three types of connections have been affected in PCI Booking. The following table describes how PCI Booking addressed each one.

1. Inbound connections to PCI Booking’s API from customers:

  • Previously, PCI Booking supported all connection types.
  • From June 1st, 2018, PCI Booking no longer supports connections on TLS 1.0.
  • Any requests sent with that security protocol are denied and rejected.

2. Outbound connections established from PCI Booking to third parties (used in the Tokenization In Response and Token Replacement methods):

  • Previously, PCI Booking attempted to establish a secure connection based on the following logic and based on the capabilities of the third party:
    • First an attempt was made over TLS 1.2.
    • If we could not establish a connection using TLS 1.2, PCI Booking automatically attempted to connect using TLS 1.1.

3. Inbound connections to PCI Booking’s gateway from third parties:

  • Previously, PCI Booking supports all connection types.
  • After June 1st, 2018, PCI Booking no longer supports connections on TLS 1.0.
  • Any requests sent with that security protocol are denied and rejected.

Talk to a Compliance Expert

PCI Booking brings all the benefits capturing, storing and processing of credit cards, all while shielding your infrastructure from ever directly handling any complete credit card data.

With PCI Booking’s expertise in PCI DSS Level 1 compliance solutions, your customers can rest assured that their payment data will remain safe and secure.

What should I do?

We recommend that you review your system and check if you are choosing a specific security protocol when sending requests to PCI Booking. If you are, we suggest that you begin work to change this behavior to use TLS 1.2. If you are not setting a specific security protocol, we recommend that you check with your infrastructure / network team to ensure that your server is configured so that TLS 1.0 is disabled.

Please note, you will still need to take the necessary steps to ensure that your entire system (unrelated to PCI Booking) is also configured with TLS 1.0 disabled.

Can I test my environment with PCI Booking?

Yes. Since January 15th 2018, PCI Booking has disabled support of TLS 1.0 on our pilot environment. This enables you to send requests to the pilot environment and confirm there are no issues with submitting requests. This change also included our test gateway sites.

Since the pilot environment is separate from the production one, you will need a new account in order to access the pilot system. Please contact our support and we will be happy to assist you in setting up a pilot account.

Once your account is set up, all you will need to do in order to use the pilot system is simply provide the API key for this new account and change the URL for PCI Booking to be https://service-pilot-tls.pcibooking.net/….

If you would like to test the gateway, simply use the test endpoints provided to you in the past by our support staff. If you are unsure of the endpoints or you would like to create a new one, please contact our support and we will be happy to assist in setting up or retrieving the gateway endpoint.