Security Roadmap

SSL Certificate Replacement sec.paymentexpress.com
8pm Sunday the 23rd of July 2017 UTC


We will be replacing our trusted Public certificate used to secure the API endpoints located at https://sec.paymentexpress.com from one trusted certificate provider (Symantec) to another (Digicert) at 8pm Sunday the 23rd of July 2017 UTC

Use the following API that is already using Digicerts certificate chain to test for any potential compatibility issues

https://uat.paymentexpress.com/pxmi3/logon

Digicert is a prominent globally trusted certificate authority meaning you should not need to make any changes to continue accessing sec.paymentexpress.com APIs although you should ensure that your environment trusts Digicerts root and subordinate certificate authority to avoid any complications.

If your application needs to explicitly trust the certificates use the following download links.

Sec.paymentexpress.com

uat.paymentexpress.com

If you have any queries about this change please contact us

Deprecation of Triple DES (3DES) cipher
8pm Tuesday the 22nd of August 2017 UTC


We will be deprecating the support of the 3DES cipher for encrypting data using a HTTPS connection for all front-end web servers at Payment Express at 8pm Tuesday the 22nd of August 2017 UTC.

Referred to as “Sweet32” this “birthday attack” can recover secure http cookies during a long established encrypted 3DES session. These secure cookies once obtained could hold sensitive information such as your personal passwords, credit card information that can be used for fraudulent means.

The impact of this change should be minimal as it currently only affects 1% of all traffic to our web front end servers although please make sure that your systems are not reliant on this cipher for encrypting traffic.

Select the following API for testing 3DES deprecation.

https://uat.paymentexpress.com/pxmi3/logon

If you have any queries about this change please contact us

Deprecation of TLS 1.0, TLS 1.1 uat.paymentexpress.com
8pm Tuesday the 29th of August 2017 UTC


Uat.paymentexpress.com API’s will deprecate support for cryptographic protocols TLS 1.0 and TLS 1.1 at 8pm Tuesday the 29th of August 2017 UTC.

Please test with this environment taking into consideration that all other Payment Express front-end web servers on the 1st of November will no longer be supporting TLS 1.0 and TLS 1.1.

If you have any queries about this change please contact us

Deprecation of TLS 1.0, TLS 1.1 sec.paymentexpress.com
8pm Tuesday the 31st of October 2017 UTC


Cryptographic protocols TLS 1.0 and TLS 1.1 that provide security over a network will be deprecated at 8pm Tuesday the 31st of October 2017 UTC, only allowing TLS 1.2 and above for all HTTPS connections to Payment Express front-end web servers.

The deprecation of these cryptographic protocols are due to past found security vulnerabilities and for Payment Express to adhere to the Payment Card Industry Security Standards Council rule to no longer support these early TLS cryptographic protocols.

We hope that this change will not cause an inconvenience although at Payment Express we take security seriously and these planned changes will not only benefit the internet security of Payment Express but also our clients.

If you have any queries about this change please contact us

Guides

To further assist with preparing for TLS1.2 we have prepared the following guides.

For merchants:

https://www.paymentexpress.com/tls-merchant-guide

For anyone using the Payline portal or paying via a Payment Express Hosted solution (PxPay or Payform):

https://www.paymentexpress.com/tls-deprecation

You can share this one with your customers as you may have a few customers unable to access the payment page due to this, if their device or web browser is not up-to-date.