Deprecating TLS 1.0 and 1.1

By Andy Savage, 15 Mar 2018, in product

On the 30th of June 2018 the PCI Security Council, made up of Visa, MasterCard, American Express, Discover and JCB, are deprecating TLS 1.0 and 1.1; this is in an effort to keep card payments secure.

TLS is used to keep web traffic and communications secret. Versions 1.0 and 1.1 have known weaknesses, and continuing to support them would put customers at risk. To ensure everyone can use the web in a safe and secure manner, the much more secure TLS 1.2 protocol will be required for all payment data after this cut-off date.

To help keep our customers as secure as possible, Paddle will also be deprecating the use of TLS 1.0 and 1.1 on all our other APIs at this time.

From this date, any customers using older operating systems or browsers will no longer be supported. Customers on these older systems will have to upgrade to a newer platform to be able to shop online. This change will be enacted by all online merchants, not just Paddle.

How does this impact you?

The impact will be minimal for our sellers: after looking at the data, only 0.3% of purchases via Paddle were made using older browsers and operating systems that only support TLS 1.0 and 1.1.

These will cease to work from July 2018 onwards, which means that some of these affected customers may complain that they can’t use our checkout. The only solution is for them to upgrade to a more recent browser and operating system.

If you are using our APIs with clients that do not support TLS 1.2 you will also need to update them. This typically involves upgrading the operating system or packages on your server.

What steps can you take?

You can use How’s My SSL to check whether your client supports TLS 1.2.

The How’s My SSL service can also be used to check whether your customers are impacted (although the service charges a subscription in that case), and display a message encouraging them to upgrade rather than opening the checkout. Contact us if you want to discuss the best way to build a good experience for your customers.

What are we doing next?

In order to help you better assess the impact of these changes, before the cut-off date we’ll be temporarily turning off TLS 1.0 and 1.1 over the coming months:

  • For 4 hours on the 29th March
  • For 12 hours on the 19th April
  • For 1 day on the 17th May

We will send you a reminder nearer the time so you can understand the impact of this change, especially around drops in conversion (tracked via Google Analytics for example) and alerts about errors in your applications.

Which operating systems and browsers will no longer be supported?

To be able to use the checkout customers will need to use one of the following browsers:

  • Google Chrome: above version 29 (released August 2013)
  • Safari: above version 6 (which came with MacOS 10.8) (if you’re using our Mac SDK customers will need to be on MacOS 10.9 or above) (released August 2015)
  • Firefox: above version 26 (released December 2013)
  • IE: version 8 and above BUT customers will need to have the right service pack for Windows 8 and below (8.1 does support it).

You can read full details here.

We think you may also like..

Rolling Out GDPR

By Harrison Rose, 06 Apr 2018, in announcements, product

A major new regulation, the GDPR, is coming into effect by the end of May, affecting how we handle the personal data of software buyers. We have taken our usual approach to rolling it out: handle most of its complexity automatically and provide you with the simple tools you need to manage it on your end.
Read more

Introducing Inline Checkout: the Easiest Way to Create an Entirely Custom Checkout Flow

By Mike Wakeling, 28 Mar 2018, in product

Two things matter in a checkout: how easy it is to set it up and how well it converts. This is why we’re introducing our Inline Checkout: a dead-easy, yet highly customizable way to embed a secure checkout into your flow.
Read more