Update on TLS Support and PCI Timelines

Update (June 26, 2018): All requests made to Braintree servers using older versions of TLS are now blocked.
Update (12/13): PayPal has released their timeline for migrating merchants that integrate directly with PayPal. The timeline can be found here.

In July of last year, we brought you an update about the end of support of Transport Layer Security (TLS) 1.0 for Braintree services. Late last year, Braintree also completed the move to SHA-256 certificates on all endpoints. Since that original post, the PCI Council has revised the deadline for ending TLS 1.0 support from June 2016 to June 2018.

One of Braintree’s top priorities is securing the data our merchants entrust to us. We also want to be aware of implications to merchants and their business. We are still evaluating whether or not the PCI Council’s updated timeline is right for us. However, we also don’t believe it’s appropriate to proceed with deprecating TLS 1.0 on our original timeline. As a result, we are currently postponing deprecation of TLS 1.0 from June 2016 until January 31, 2017. We expect the security landscape in the industry will continue to evolve quickly, so we will re-assess this timeline in September 2016 and provide an update at that time.

PayPal will release a separate timeline for migrating merchants that integrate directly with PayPal. If you integrate directly with PayPal please refer to the PayPal 2016 Merchant Security Roadmap Microsite.

Naturally, we will continue to keep a watchful eye on security-related matters and may choose to accelerate our timeline in the event the TLS protocol becomes vulnerable to additional attacks.

John Downey John Downey is the Security Lead at Braintree. In his free time he contributes to open source projects and mentors high school students in the FIRST Robotics Competition. More posts by this author

You Might Also Like