Configure SSL encryption
For PCI DSS compliance you must enable SSL encryption as follows:
- The API must be encrypted to securely transmit passwords.
- All MCI endpoints must be encrypted when cardholder data is sent over public networks.
- The ECI must be enabled for synchronization of encryption keys between cluster instances.
- SSL and early TLS are not considered strong cryptography. Payment applications must not use, or support the use of, SSL or early TLS. Therefore, TLS 1.0 and 1.1 must be disabled for API / MCI and ECI.
For each interface that uses SSL encryption, encrypted SSL certificate files must be provided. Safer Payments needs two files to support an encrypted connection. The server certificate and the private key in PEM format. The storage location of these files can be configured on the SSL Settings page. See Create certificates with OpenSSL for details on how to create the required certificates.
- On the Safer Payments user interface, click the Cluster tab.
- Click the first instance of the Cluster Settings table.
- Scroll down to the Interfaces section. Click the Application Programming tab.
- Select the Application Programming Interface (API), Reject TLS
1.0, and Reject TLS 1.1 checkboxes.
Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.
- Click the Encrypted Communication tab. Click the Encrypted
Communication Interface (ECI), Reject TLS 1.0, and
Reject TLS 1.1 checkboxes.
Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.
- Click the Message Command tab. Click the Message Command
Interface (MCI), Reject TLS 1.0, and Reject TLS
1.1 checkboxes.
Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.
Repeat for each endpoint.
- Repeat these steps for each instance.
- SSL settings are individual for each Safer Payments instance because different instances of Safer Payments running on different computers with different IP addresses require different certificates.
- Enabling SSL encryption and changing the settings becomes effective immediately.
- From now on, you are prompted to enter the certificate passphrase on the console during startup for each instance. See Start and stop Safer Payments instances for details.