http://www.bridgepaynetwork.com
IMPORTANT DATES FOR TLS 1.2

ACTION REQUIRED

Following the SSL/TLS vulnerabilities such as POODLE and BEAST, the National Institute of Standards and Technology (NIST), deems all encryption protocols before TLS 1.2 weak and insecure. Upgrading to a current, secure version of TLS is the only known way to remediate the inherent weakness in early TLS implementations. Accordingly, the PCI Council has updated it's encryption protocol requirements.

BridgePay is dedicated to maintaining a high level of security and compliance to protect sensitive data. In order to ensure security and compliance, BridgePay will be migrating its systems to use TLS 1.2. BridgePay systems currently support TLSv1, TLSv1.1 and TLSv1.2. However, on June 30, 2018, BridgePay production systems will no longer support TLSv1 or TLSv1.1.

In order to facilitate testing, BridgePay will migrate all of its test systems to use TLS 1.2 ONLY on April 2, 2018. We strongly recommend testing as soon as possible to ensure any production migrations go smoothly and to prevent transaction interruptions.

What systems are affected by this announcement?
Any system that makes an inbound encrypted connection to BridgePay systems. This includes web browsers, terminals and direct API integrations.

I use PayLINK. Am I affected?
Yes. Older versions of PayLINK, versions 2.1.253 and older, do not support TLS 1.2. This means that on April 2, 2018, these older versions will not be able to connect to BridgePay test systems. Please upgrade to the latest version of PayLINK (2.1.254) that supports TLS 1.2, which will be available to users on approximately March 8th via our website and Integration Support portal.  Production is not affected at this time. To avoid processing interruptions, PayLINK users should test and upgrade all production systems running PayLINK to the latest version before June 30, 2018.

Will PayLINK be supported after this release?
The product is considered End of Life (EOL). This means, no further releases or updates to the product will occur. Adding TLS 1.2 capability to PayLINK is intended to bridge the gap for customers until migrations to PayGuardian can occur.
 
Is this new version of PayLINK PA-DSS certified?
No. PayLINK is End of Life (EOL) and there are no plans to certify this version.

When does PayLINK reach End of Support (EOS)?
The EOS date for PayLINK has not been determined. Users will be given advance notice of EOS.

What is the replacement for PayLINK?
PayGuardian is the replacement for PayLINK. Please contact BridgePay Integrations to discuss migration options. Our team can be reached by submitting a request at https://ta.bridgepaynetwork.com/. When submitting this form, please select "Migrating from PayLINK to PayGuardian" under Reason for Requesting a Test Account.

I use PayGuardian. Am I affected?
No. PayGuardian already supports TLS 1.2.

I connect with a web-browser. Am I affected?
Modern web-browsers such as Microsoft Edge, Microsoft Internet Explorer, FireFox and Chrome support TLS 1.2. Consult your IT department to ensure your system is configured correctly.

My system is integrated to the PathwayLINK API. Am I affected?
Yes. Please ensure your POS system integration supports TLS 1.2. Contact your POS supplier.

My system is integrated to BridgePay API. Am I affected?
Yes. Please ensure your POS system integration supports TLS 1.2. Contact your POS supplier.

Who should I contact if my terminal needs to be upgraded to use TLS 1.2?
If your terminal does not support the TLS 1.2 protocol, contact your terminal provider for an upgrade.

Which Encryption Ciphers will be supported?

Cipher Name in server preferred order
Key Generation
Forward Secrecy
Encryption Strength
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
ECDH secp256r1 (eq. 3072 bits RSA)
FS
256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
ECDH secp256r1 (eq. 3072 bits RSA)
FS
128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) 
ECDH secp256r1 (eq. 3072 bits RSA)
FS
256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
ECDH secp256r1 (eq. 3072 bits RSA)
FS
256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
ECDH secp256r1 (eq. 3072 bits RSA)
FS
128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
ECDH secp256r1 (eq. 3072 bits RSA)
FS
128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) 
DH 2048 bits
FS
256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
DH 2048 bits
FS
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
DH 2048 bits
FS
128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)
DH 2048 bits
FS
128

Below are some links that may help with understanding these changes: