Important: SOAP Toolkit Update
As part of ongoing security enhancements, we are planning to upgrade SOAP API
authentication to P12 authentication. This upgrade is currently available for Java,
C++, C#, and PHP. For instructions, read the .
SSL/TLS Certification Migration
To uphold the maximum levels of security and compliance in both your browser-based and
server-to-server interactions with the Visa Acceptance Solutions platform (including
Cybersource), we are transitioning all Cybersource endpoint SSL/TLS certificates from
Entrust to DigiCert. These SSL/TLS certificates, originally issued by Entrust, will now be
issued by DigiCert to fortify these communication channels.
Merchants using Cybersource endpoints should coordinate with their network team or
hosting/solution provider to implement all necessary measures to ensure their connections to
Cybersource properties follow industry standards. This includes updating their systems with
the new Root and Intermediate (CA) SSL/TLS certificates that correspond to the specific
Cybersource endpoint they use.
If your application requires trusting of certificates at the server level, you must install
(trust) the new certificates prior to expiration of existing certificates to avoid any
production impact. The link to the Server-Level (leaf) SSL certificate will be updated when
they become available.
We recommended that merchants trust only the Root and Intermediate CA
SSL/TLS certificates on all secure endpoints. This method avoids the annual necessity to
renew the server-level certificate.
Do not revoke or remove any of your existing Entrust certificates linked with Cybersource
endpoints before the scheduled dates. Until the cut-off dates, the only supported
certificates will be the Entrust SSL certificates. You may add the new certificates to your
system, in addition to the existing certificates, and verify their functionality in the
testing environment.
There will be two phases and each phase will update different endpoints.
First Phase
The first phase is complete and updated the following endpoints:
Test URLs | Production URLs |
|---|---|
apitest.cybersource.com | accountupdater.cybersource.com |
accountupdatertest.cybersource.com | api.cybersource.com |
batchtest.cybersource.com | batch.cybersource.com |
api.accountupdatertest.cybersource.com | api.accountupdater.cybersource.com |
ics2wstest.ic3.com | ics2ws.ic3.com |
ics2wstesta.ic3.com | ics2wsa.ic3.com |
apitest.cybersource.com | ics2ws.in.ic3.com |
api.in.cybersource.com | |
batch.in.cybersource.com |
We strongly urge you to test your implementation as soon as
possible.
Second Phase
The second phase will update the following endpoints:
Test URLs | Production URLs |
|---|---|
testflex.cybersource.com | flex.cybersource.com |
testsecureacceptance.cybersource.com | secureacceptance.cybersource.com |
flex.in.cybersource.com | |
secureacceptance.in.cybersource.com |
The Testing Environment was updated November 5, 2024, 4:00 GMT. The production environment
will be updated December 10, 2024, 4:00 GMT. The old certifications will expire on December
31, 2024.
Flex Microform to be PCI 4.0 Compliant
The PCI Security Standards Council has issued its new PCI Data Security Standard (PCI DSS)
version 4.0. This standard provides a baseline of technical and operational requirements to
protect account data.
The next release of Flex Microform, projected for a January 2025 release, will provide a
mechanism to return the sub-resource integrity (SRI) value to the merchant. This allows the
merchant to validate the legitimacy of the JavaScript code loaded onto the merchant's
webpage used to run the Flex Microform product. This change is mandated in section 6.4.3 of
the PCI DSS 4.0 specification.
For more information about the PCI DSS 4.0 standard, go to: pci-dss-v4-0-resource-hub.