Security Update on TLS 1.0 and 1.1 Deprecation
We’re determined to help drive better commerce with less risk. One component of doing this is obsessively adhering to the industry’s PCI Security Standards Council. So when this organization issued a mandate to wind down all use of dated protocols that fall short of newer criteria for strong cryptography, we were of course on board.
Thus in December, 2015, we first communicated our plans to deprecate Transport Layer Security (TLS) 1.0 and 1.1.
Following up on this, most WePay partner platforms have moved entirely away from TLS 1.0 and 1.1 – so much so that overall traffic for them is well below 2%. This is very good. Yet some still have a bit of work to do, and now’s the time it needs to be done.
Here’s our planned schedule for deprecating TLS 1.0 and 1.1:
- 07.31.2017: Discontinue support for TLS 1.0 and 1.1 in our stage environments (https://stage.wepay.com/login and https://stage.wepayapi.com).
- 09.30.2017: Discontinue support for TLS 1.0 and 1.1 in our production environments (https://www.wepay.com/login and https://wepayapi.com)
To ensure continued access to WePay services, partners may need to update internal technology stacks to support TLS 1.2. This may entail updating servers and/or programming language environments. You may also need to update lists of supported browsers (or versions) to ensure a fully functional WePay experience for merchants and payers.
If you have any questions, please contact firstname.lastname@example.org.
Finally, note we’ll continue to monitor for any emergent TLS 1.0 and 1.1 vulnerabilities until deprecation and will adapt our timeline as required to mitigate protocol-level issues if any arise.