CyberSource Security Requirements

CyberSource has announced dates for new mandatory security requirements:

  • End of June 2017 - TLS 1.2 required for all connections
  • Middle of May 2017 - disabling RC4 ciphers

These are important changes to help align their platform with the current PCI requirements, as well as to disallow TLS ciphers which are considered very insecure.

Note: so long as you are running a minimum of CyberSource Toolkit for i version 3.10 or higher, further product upgrades are not required to address these issues.

TLS 1.2

TLS 1.2 is required for all connections to CyberSource’s production environment as of the end of June 2017.

IBM i 7.2/7.3

TLS 1.2 is already available on these operating systems. You will need to ensure that the following system values are set appropriately:

QSSLCSLCTL = *OPSYS

Note: if QSSLCSLCTL is set to *USRDFN, please email our support team at isupport@krengeltech.com.

QSSLPCL =
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3

IBM i 7.1

TLS 1.2 is available with PTF SI48659. Once this PTF is installed, you will need to ensure that the following system values are set appropriately:

QSSLCSLCTL = *OPSYS

Note: if QSSLCSLCTL is set to *USRDFN, please email our support team at isupport@krengeltech.com.

QSSLPCL =
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3

RC4 Cipher End-of-Life

CyberSource is deprecating the usage of the RC4 cipher suite as of mid-May 2017.

IBM i 7.1/7.2/7.3

You can view the TLS ciphers that are currently enabled on your system with the following command:

DSPSYSVAL SYSVAL(QSSLCSL)

Review the ciphers and see that these entries are listed:

  • RSA_AES_128_CBC_SHA256
  • RSA_AES_256_CBC_SHA256

If these entries are in the list, your system should handle the disabling of RC4 in CyberSource’s production environment. If you do not see these entries, please email our support team at isupport@krengeltech.com with screenshots of the list entries.