PCI Compliance – TLS requirement

by Adam Tworkiewicz

devstudioblog_PCI_TLS

In October of last year, industry Security researchers identified vulnerability in the Secure Sockets Layer 3.0 (SSLv3.0) encryption protocol.

In response, the Payment Card Industry (“PCI”) Council, as well as Visa and MasterCard, have issued a mandate that all merchants and service providers configure their systems in a manner to ensure secure connections between relevant systems by June 2016.

In support of this PCI mandate, Sabre is requesting customers to take action by December 31, 2015 to avoid potential disruptions that may disable the ability of client applications to connect to the Sabre APIs using encryption protocol SSLv3.0, and all versions of Transport Layer Security (TLS) prior to version 1.2.

In the future, Sabre will no longer support communication with Ciphers using keys with less than 128 bits.

From the PCI Security Standards Council:

“Due to the nature of web-based environments, e-commerce implementations have the highest susceptibility and are therefore at immediate risk from the known vulnerabilities in SSL/early TLS.”

Customers using the public Internet to consume Sabre APIs fit that description, so the update to TLSv1.2 is imperative.

This is a security requirement regardless if the data being accessed is PCI related or not. As this is an industry-wide initiative, customer IT organizations should be determining what actions are required to comply.

Sabre APIs (SOAP and REST APIs)

No new versions of Sabre APIs are required to comply with this mandate, but developers should review their configurations to ensure all systems are using the correct protocols.

The table below identifies the recommended Encryption protocols and Ciphers that should be utilized. Once the changes are implemented, any communication that cannot negotiate to TLSv1.2 or is using an unsupported Cipher will be rejected.

Unsupported Encryption Protocols Supported Encryption Protocols
Secure Sockets Layer (SSL) versions 1.0, 2.0, and 3.0 TLSv1.2 and higher
TLSv1.0 and TLSv1.1
Unsupported Ciphers Supported Ciphers
MD5, RC4, DES, EXPORT, aNULL and eNULL Strong ciphers with key lengths >= 128 bits must be used

The following URLs can be used to test connection with your client application, prior to applying the required changes to comply with this mandate:
https://sws-tls.cert.sabre.com/ (SOAP APIs)
https://api-tls.cert.sabre.com/ (REST APIs)

NOTE: the test URLs above are provided for testing purposes of TLSv1.2 compliance.

The production URLs won’t be required to be changed on the client’s end, once the reconfiguration has been completed (see SOAP environment and REST environment references for more information).

Action required

The actions required to be taken by customers will vary depending on the configuration used to connect to Sabre APIs, mainly based on client libraries/frameworks used and programming language.

As a starter, a simple test – from the customer application – against the endpoints provided above (depending on use of SOAP and/or REST APIs) should tell if the current configuration is compliant with TLSv1.2.

Here are some examples of exceptions/errors received when connection cannot be established using TLSv1.2:

  • .NET: “The request was aborted: Could not create SSL/TLS secure channel”
  • Java: “net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure”

With that – and since each customer configuration can be unique – a review done by customers IT department/development team is encouraged to ensure the necessary actions have been taken.

Finally, if you have any concerns about making the necessary changes by the December 31, 2015, please contact your Sabre Account Director.

Leave a Reply

Your email address will not be published. Required fields are marked *