CyberSource Security Update - SSL certificate replacement
AnsweredI have received this communication from multiple customers that use CyberSource. Does this require action on Momentus or on customer?
Dear Valued Customer
What is happening:
To uphold the maximum levels of security and compliance in both your browser-based and server-to-server interactions with the CyberSource platform, we are transitioning all CyberSource endpoint SSL/TLS certificates from Entrust to DigiCert. These SSL/TLS certificates, originally issued by Entrust, will now be issued by DigiCert to fortify these communication channels.
This requires that all merchants who use CyberSource endpoint URLs to integrate the newly-issued Root and Intermediate (CA) SSL certificates from DigiCert into their systems. This must be done in both the TEST/CAS and Production environments prior to the scheduled revocation dates listed below.
CyberSource will also generate server-level (leaf) SSL certificates. However, it is recommended that merchants trust only the Root and Intermediate CA SSL certificates on all secure endpoints. This method avoids the annual necessity to renew the server-level certificate.
Why is CyberSource taking action:
The utmost priority for CyberSource is to maintain secure and compliant communication channels across all of its endpoint URLs. Additionally, Google has planned to revoke Entrust certificates on its Chrome platform by October 30, 2024. This decision will also affect CyberSource clients who access our endpoints through the Chrome browser.
When Cybersource will revoke Entrust Certificates:
Cybersource is planning to revoke Entrust SSL certificates on the following dates:
CAS/TEST environment: August 15th, 2024
Production environment: September 17th, 2024
Action Required:
Merchants using Cybersource endpoints should coordinate with their network team or hosting/solution provider to implement all necessary measures to ensure their connections to Cybersource properties follow industry standards. This includes updating their systems with the new Root and Intermediate (CA) SSL certificates, which correspond to the specific Cybersource endpoint they use.
We strongly urge you to test your implementation in the CAS/TEST environment as soon as Cybersource releases DigiCert new SSL certificates on August 15th, 2024. Testing in the Production environment won't be possible before the Production release date. Therefore, it's imperative to ensure your system is prepared by conducting all necessary tests in the CAS/TEST environment.
Please take note: Do not revoke or remove any of your existing Entrust certificates linked with Cybersource endpoints before the scheduled dates mentioned above. Until the cut-off dates, the only supported certificates will be the Entrust SSL certificates. You may add the new certificates to your system and verify their functionality in the CAS/TEST environment.
Here is a list of Cybersource URLs that require immediate attention:
CAS/TEST URLs:
accountupdatertest.cybersource.com
apitest.cybersource.com
batchtest.cybersource.com
api.accountupdatertest.cybersource.com
ics2wstest.ic3.com
ics2wstesta.ic3.com
Production URLs:
accountupdater.cybersource.com
api.cybersource.com
batch.cybersource.com
api.accountupdater.cybersource.com
ics2ws.ic3.com
ics2wsa.ic3.com
Root and Intermediate (CA) Certificates of the impacted Cybersource endpoints can be found in the below Knowledgebase article:
https://support.visaacceptance.com/knowledgebase/Knowledgearticle/?code=KA-05544
If your application requires trusting of certificates at the server (leaf) level, you must install (trust) the new certificates prior to expiration of existing certificates in order to avoid any production impact. The link to the Server-Level (leaf) SSL certificate will be updated later in the above Knowledgebase article once they become available.
Please contact your Customer Support representatives for any questions you may have about this change.
Thank You,
CyberSource Customer Support
-
Just a heads up that there's an email thread putting together an KB announcement for clients - short story, no action should be required.
Please sign in to leave a comment.
Comments
2 comments
Date Votes