GETTING READY FOR TLS 1.2
Payment Card Industry Data Security Standards (PCI DSS) require all PA-DSS validated payment applications to discontinue the use of “early TLS” (i.e., all versions of SSL and TLS 1.0) by June 30th, 2018.
To comply with this requirement, NCR Secure Pay will no longer accept early TLS connections after 2:30 A.M. on June 5th, 2018. In addition, updates to NCR Counterpoint V8.5.4 and V8.4.6 that will require the use of TLS 1.2 for payment transactions processed through NCR Secure Pay will be released as follows:
- V8.5.4 Patch 002: Scheduled for 2/20/2018
- V18.104.22.168 Service Pack: Scheduled for 3/6/2018
We do not plan to release patches or Service Packs to support TLS 1.2 in other versions of NCR Counterpoint. To prepare for the transition to TLS 1.2, you must first ensure that TLS 1.2 is supported and enabled on your
workstations by following the appropriate steps for your operating system, as outlined below.
Do NOT disable early TLS on your workstations, as NCR Counterpoint Services (CPServices) requires TLS 1.0 for internal communications. Because PCI DSS prohibits the use of early TLS for the external communication of payment transactions only, using TLS 1.0 with CPService does not violate PCI-DSS compliance.
CPServices will be updated to use TLS 1.2 in a future NCR Counterpoint release.
Once TLS 1.2 is enabled, you can install V8.5.4 Patch 002 or the V22.214.171.124 Service Pack—depending on which version of NCR Counterpoint you are using—to begin using TLS 1.2 for all communications with NCR Secure Pay.
V8.5.4 Patch 002 and the V126.96.36.199 Service Pack will only work with TLS 1.2. If you install these updates on a workstation for which TLS 1.2 is not supported and enabled, NCR Counterpoint will be unable to connect to NCR Secure Pay and you will be unable to process payments.
W I N D O WS 8. 1/ W I N D O W S 1 0 / W I N D O W S S E R V E R 2 01 2 R 2
By default, TLS 1.2 is supported and enabled in Windows 8.1, Windows 10, and Windows Server 2012 R2. Thus,
no additional configuration is required to use TLS 1.2 with these operating systems.
W I N D O W S 7/ W I N D O W S E M B E D D E D P O S R EA D Y 7 / W I N D O W S S E R V E R 2 0 0 8 R 2
If your NCR Counterpoint workstations are running Windows 7, Windows Embedded POSReady 7, or Windows
Server 2008 R2, first ensure that you have installed all current Service Packs, updates, and security patches.
To enable TLS 1.2, create the registry setting entries (in the Client subkey) that are specified in the TLS 1.2
section of the Transport Security Layer (TLS) registry settings page in the Microsoft documentation library
Every effort has been made to ensure the accuracy of this document. NCR makes no representations or warranties with respect to any of the information contained in this document and specifically disclaims any express or implied warranties of merchantability or fitness for a particular purpose with respect to such information. NCR shall not be liable for any errors or for incidental, indirect or consequential damages in connecting with the furnishing, performance or use of this document.
V E R I FY I N G T H A T T L S 1 .2 I S E N A B L E D
If you are using Windows 7, Windows Embedded POSReady 7, or Windows Server 2008 R2, you can verify whether TLS 1.2 is supported and enabled on each of your NCR Counterpoint workstations by using Microsoft Internet Explorer to access the How’s My SSL? Website (https://howsmyssl.com).
Only use Internet Explorer to verify that your workstation is using TLS 1.2; other browsers do not use the Windows TLS system and may display incorrect results.
The Version section of the page should indicate that your client is using TLS 1.2, as illustrated below.
W I N D O W S E M B E D D E D P O S R E A D Y 2 0 0 9
NCR does not currently plan to test or support TLS 1.2 with Windows Embedded POSReady 2009. Although Microsoft has indicated that an update will be made available to support TLS 1.2 with Windows POSReady 2009 (https://cloudblogs.microsoft.com/microsoftsecure/2017/10/05/announcing-support-for-tls-1-1-and-tls-1-2-in- xp-posready-2009/), merchants who wish to continue using POSReady 2009 must do so at their own risk.
We strongly recommend upgrading any workstation that is running Windows POSReady 2009 to a newer, supported operating system.