SOURCE: Plug & Pay Technologies Inc.
Modification To Permitted Ciphers
Hauppauge, NY - October 24, 2016

URGENT NOTICE
MODIFICATION TO PERMITTED ENCRYPTION CIPHERS

Effective October 24th 2016

Due to the ever changing landscape of internet security, we are required to make changes to our environment to keep our systems secure from attackers.

Recently, the details of an attack that exploits a vulnerability in TLS Triple-DES ciphers was published.

To maintain our systems security, we will be disabling these ciphers on October 24th 2016.

Usually, when an HTTPS URL is called, the requesting system negotiates with the server being called, and selects/uses the most secure encryption cipher that the requesting system can support, for that given request.

However, in some cases, use of older APIs &/or dated operating systems (such as earlier versions of Windows) can be relying upon older encryption cipher suites, that can no longer invoke a strong encryption cipher. As such, when more secure ciphers are required, then what the requesting system can support, the given API/system will no longer be able to communicate properly with our gateway.

There are several versions of Windows we believe to be affected by this matter; which include Windows 2003, Windows 2000, Windows XP, Windows XP Embedded, some versions of Windows CE &/or other editions of Windows prior to the ones just listed. Potentially some Unix/Linux systems running older versions of OpenSSL &/or other related encryption suites could also be affected, if said encryption suite is not kept current.

This change should not affect the vast majority of users, so long as their system is not End Of Life (EOL).

We have already taken the preventative measures of directly contacting affected merchants, resellers &/or partners, and worked with them where possible.
 

With that being said, some merchants &/or their customers may experience difficulties connecting to the payment gateway, after the insecure cipher(s) are disabled.

If the user's browser, app/interface &/or server is no longer able to reach our payment gateway's domain, the given system may likely be affected by the above cipher restriction.
 

Before outlining possible work arounds, it's highly recommend to check your cardholder data environment (CDE), such as workstations &/or servers for compliance. Usage of systems/apps within your cardholder data environment (CDE), that are flagged End Of Life (EOL) by the vendor, means it is not in PCI compliance. Refer to PCI's Data Security Standard 3.2, sub-section 6.2, for why EOL systems/apps fall under PCI non-compliance. Your Qualified Security Assessor (QSA) will be able to assist you further with that matter.
 

With that non-compliance understanding established, below are common operating systems & their current standing:

* Solutions offered below to End of Life (EOL) flagged systems are simply to permit users to immediately restore payment processing abilties; giving them a chance to migrate to a more secure & PCI compliant solution. We cannot guarantee how long said solutions may last, so it's prudent to expedite any migration plans from effected systems ASAP.


WORKSTATIONS/DESKTOPS

Windows 10
• No compatibility issues known.
• Ensure your OS & related software is fully updated/patched
• Reset your browser settings to factory defaults, or try an alternative browser

Windows 8 & 8.1
• No compatibility issues known.
• Ensure your OS & related software is fully updated/patched
• Reset your browser settings to factory defaults, or try an alternative browser

Windows 7
• No compatibility issues known.
• Ensure your OS & related software is fully updated/patched
• Reset your browser settings to factory defaults, or try an alternative browser

Windows Vista
• No compatibility issues known.
• Ensure your OS & related software is fully updated/patched
• Reset your browser settings to factory defaults, or try an alternative browser

Windows XP
• Microsoft made this operating system End Of Life (EOF) as of April 8th 2014.
• It is highly recommended users migrate to a new version of Windows.
• If that is not possible, ensure the OS & related software is updated/patched as much as permitted.
• Internet Explorer for WinXP is EOL & under normal curcumstances is no longer compatible.
    [Click Here For An Experimental Solution]
• Chrome is already EOL for WinXP, but supports some allowed ciphers.
    [To install, you'll need to find an offline installer of Google Chrome below version 50 for WinXP compatibility]
• Firefox only supports WinXP SP3, but supports many allowed ciphers & is actively patched.
    [To install, you can use the installer directly from Mozilla's website]
• User would install Firefox or Chrome browser, and set it as the PC's default browser.
    [* This step is required for certain apps, such as Vermont Software's RecTrac, to work properly within WinXP's environment.]

Windows ME, 98, 98SE & earlier
• Microsoft made these operating systems End Of Life (EOF) a very long time ago.
• These operating systems are simply too old to invoke ciphers permitted by our gateway.
• There are no known patches to restore compatibility.
• You'll need to migrate to a newer version of Windows.

Unix/Linux workstations
• Fully patch your workstation's operating system
• Ensure OpenSSL or other related encryption suite installed is current
• Remove any hard-coded protocol/cipher settings from the workstation/app, which may be prevent automatic negotiation to stronger ciphers from happening.
• For browser issues, ensure you're using the most current version of your selected browser
• If still not working, try using an alternative browser, such as Mozilla Firefox or Google Chrome.


SERVERS

Windows Server 2016
• No compatibility issues known.
• Ensure your OS & related software is fully updated/patched

Windows Server 2012
• No compatibility issues known.
• Ensure your OS & related software is fully updated/patched

Windows Server 2008
• No compatibility issues known.
• Ensure your OS & related software is fully updated/patched

Windows Server 2003
• Microsoft made this operating system End Of Life (EOF) as of July 14th 2015.
• Under default conditions, this operating system can no longer invoke ciphers permitted by our gateway.
• However if you install the below hotfix, it'll enable additional ciphers, thus restoring compatibility for a time.
    Windows 2003 Cipher Hotfix (KB3055973)

Windows Server 2000
• Microsoft made this operating system End Of Life (EOF) as of July 13th 2010.
• This operating system is too old to invoke ciphers permitted by our gateway.
• There are no known patches to restore compatibility.
• You'll need to migrate to a newer version of Windows Server.

Unix/Linux Servers
• Fully patch your server's operating system
• Ensure OpenSSL or related encryption suite installed is current
• Remove any hard-coded protocol/cipher settings from the system/app, which may be prevent automatic negotiation to stronger ciphers from happening.


If access issues persist after attending to the above, please Email Tech Support or use the Online Helpdesk for additional assistance.