CyberSource Security Requirements
CyberSource has announced dates for new mandatory security requirements:
- End of June 2017 - TLS 1.2 required for all connections
- Middle of May 2017 - disabling RC4 ciphers
These are important changes to help align their platform with the current PCI requirements, as well as to disallow TLS ciphers which are considered very insecure.
Note: so long as you are running a minimum of CyberSource Toolkit for i version 3.10 or higher, further product upgrades are not required to address these issues.
TLS 1.2
TLS 1.2 is required for all connections to CyberSource’s production environment as of the end of June 2017.
IBM i 7.2+
TLS 1.2 is already available on these operating systems. You will need to ensure that the following system values are set appropriately:
QSSLCSLCTL = *OPSYS
Note: if QSSLCSLCTL is set to *USRDFN, please email our support team at isupport@katointegrations.com.
QSSLPCL =
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3
IBM i 7.1
TLS 1.2 is available with PTF SI48659. Once this PTF is installed, you will need to ensure that the following system values are set appropriately:
QSSLCSLCTL = *OPSYS
Note: if QSSLCSLCTL is set to *USRDFN, please email our support team at isupport@katointegrations.com.
QSSLPCL =
*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3
RC4 Cipher End-of-Life
CyberSource is deprecating the usage of the RC4 cipher suite as of mid-May 2017.
IBM i 7.1+
You can view the TLS ciphers that are currently enabled on your system with the following command:
DSPSYSVAL SYSVAL(QSSLCSL)
Review the ciphers and see that these entries are listed:
RSA_AES_128_CBC_SHA256RSA_AES_256_CBC_SHA256
If these entries are in the list, your system should handle the disabling of RC4 in CyberSource’s production environment. If you do not see these entries, please email our support team at isupport@katointegrations.com with screenshots of the list entries.