Security Update on TLS 1.0 and 1.1 Deprecation

June 27, 2017 Payments
Atit Shah
By Atit Shah, Head of Security
Atit Shah
By Atit Shah, Head of Security

TLS

We’re determined to help drive better commerce with less risk. One component of doing this is obsessively adhering to the industry’s PCI Security Standards Council. So when this organization issued a mandate to wind down all use of dated protocols that fall short of newer criteria for strong cryptography, we were of course on board.

Thus in December, 2015, we first communicated our plans to deprecate Transport Layer Security (TLS) 1.0 and 1.1.

Following up on this, most WePay partner platforms have moved entirely away from TLS 1.0 and 1.1 – so much so that overall traffic for them is well below 2%. This is very good. Yet some still have a bit of work to do, and now’s the time it needs to be done.

Here’s our planned schedule for deprecating TLS 1.0 and 1.1:

To ensure continued access to WePay services, partners may need to update internal technology stacks to support TLS 1.2. This may entail updating servers and/or programming language environments. You may also need to update lists of supported browsers (or versions) to ensure a fully functional WePay experience for merchants and payers.

If you have any questions, please contact api@wepay.com.

Finally, note we’ll continue to monitor for any emergent TLS 1.0 and 1.1 vulnerabilities until deprecation and will adapt our timeline as required to mitigate protocol-level issues if any arise.

About the author

Atit Shah

Atit Shah, Head of Security

Atit Shah is Head of Security for WePay. He has more than 11 years of combined experience in technology, security and leadership. Prior to WePay, he held security-related positions at Microsoft, Deloitte, and Ernst & Young.

More blog posts by Atit Shah