Global Payments Requiring Update from Vulnerable SSL 3.0 by
March 3rd, 2015
The update involves a security encryption change within Global from the SSL3 method (which has been proven to be susceptible to the POODLE breach) to TLS encryption, which is not vulnerable.
Datacap has updated the current version of our NETePay software and Tran applications with support for TLS. Users simply need re-install NETePay at the latest version or re-load Tran applications for the update to take effect.
Global updates will be Free of Charge from Datacap
Why so many updates recently?
On October 14, 2014, researchers from Google discovered a critical vulnerability in Secure Sockets Layer version 3.0 (SSL 3.0) (CVE-2014-3566) called POODLE (Padding Oracle On Downgraded Legacy Encryption), also known as POODLEBleed. The SSL 3.0 vulnerability could allow an attacker to carry out a Man-in-the-Middle (MITM) attack to decrypt secure HTTP cookies, which could let them steal information or take control of the victim’s online accounts. The attack can be executed both on the server side and client side. Because of this vulnerability, many ISPs are dropping support for SSL, forcing payment processors to update from SSL to TLS encryption.
Visa SSL Security Alert (explaining PoodleBleed vulnerability)
NETePay™ Users
NETePay users must update to the latest version of software to add support for TLS encryption. Updates are required for the following processors that utilize Global processing.
- Global Host/Terminal
- Global Canada (EMV and non-EMV)
- EVO Host/Terminal
- Mercury Canada (EMV)
- NPC Host (rental)
IPTran™/TwinTran™ Users
Global TwinTran/IPTran users need to update to version 3.80 to use TLS. Global DialTran™ users are not impacted and need not take any action at this time. Updates are required for the following processors that utilize Global processing.
- Global Host/Terminal
- NPC Host (rental)
- Mercury Host (AutoLoad™) -only applies to installs using a non-Mercury gift service. NoLoad™ devices will not require updates.
Legacy DataTran™/IPTran™ Users
Global legacy DataTran™/IPTran™ configuration users will need to upgrade to a current TwinTran or IPTran product, depending on their specific requirements. Legacy DataTrans processing over dial will not be impacted by this change.