Configure SSL encryption

Note: TLS is the successor of SSL. Subsequently, the term SSL is used to refer to the secure communication technologies within Safer Payments. In the Safer Payments interfaces all equivalent elements are named SSL.

For PCI DSS compliance you must enable SSL encryption as follows:

  • The API must be encrypted to securely transmit passwords.
  • All MCI endpoints must be encrypted when cardholder data is sent over public networks.
  • The ECI must be enabled for synchronization of encryption keys between cluster instances.
  • SSL and early TLS are not considered strong cryptography. Payment applications must not use, or support the use of, SSL or early TLS. Therefore, TLS 1.0 and 1.1 must be disabled for API / MCI and ECI.
Note: The FLI / SCI do not support SSL/TLS encryption but instead encrypt attribute data based on the encryption settings defined in Safer Payments.

For each interface that uses SSL encryption, encrypted SSL certificate files must be provided. Safer Payments needs two files to support an encrypted connection. The server certificate and the private key in PEM format. The storage location of these files can be configured on the SSL Settings page. See Create certificates with OpenSSL for details on how to create the required certificates.

  1. On the Safer Payments user interface, click the Cluster tab.
    Figure 1. Cluster settings
    This image is explained in the surrounding text.
  2. Click the first instance of the Cluster Settings table.
  3. Scroll down to the Interfaces section. Click the Application Programming tab.
    Figure 2. API - SSL settings
    This image is explained in the surrounding text.
  4. Select the Application Programming Interface (API), Reject TLS 1.0, and Reject TLS 1.1 checkboxes.

    Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.

  5. Click the Encrypted Communication tab. Click the Encrypted Communication Interface (ECI), Reject TLS 1.0, and Reject TLS 1.1 checkboxes.

    Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.

  6. Click the Message Command tab. Click the Message Command Interface (MCI), Reject TLS 1.0, and Reject TLS 1.1 checkboxes.

    Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.

    Repeat for each endpoint.

  7. Repeat these steps for each instance.
Note:
  • SSL settings are individual for each Safer Payments instance because different instances of Safer Payments running on different computers with different IP addresses require different certificates.
  • Enabling SSL encryption and changing the settings becomes effective immediately.
  • From now on, you are prompted to enter the certificate passphrase on the console during startup for each instance. See Start and stop Safer Payments instances for details.