On This Page

Release Notes

These release notes cover all releases to the production server for the week ending
May 1, 2026
.

Announcements

These announcements are for
May 1, 2026
.

TLS Updates

We are making changes to our implementation of Transport Layer Security (TLS).

TLS 1.3

To maintain the highest security standards for both browser-based and server-to-server connections, we will enable TLS 1.3 on the endpoints listed below. This enhancement is optional and will supplement the existing TLS 1.2 support, which will remain in place.
We will make changes to these endpoints on these dates:
Testing environment
: May 26, 2026
ics2wstesta.ic3.com
ics2wstest.ic3.com
apitest.cybersource.com
Production environment
: June 2, 2026
ics2wsa.ic3.com
ics2ws.ic3.com
api.cybersource.com
api.in.cybersource.com
ics2ws.in.ic3.com
Contact Customer Support if you have any questions about these changes.

TLS Certificate Lifetime Reduction

In alignment with new CA/Browser Forum regulations, the maximum TLS certificate lifetime will be reduced gradually as follows:
• Currently, the maximum lifetime for a TLS certificate is 200 days.
• Beginning March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
• Beginning March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
See this blog for more information about the TLS certificate lifetime changes:
How will this change impact connectivity?
Server-level (leaf) SSL/TLS certificates will remain valid until their scheduled expiration. Server-level (leaf) TLS certificates have shorter lifespans and must be reissued more frequently. We therefore recommend that clients trust the root certificate instead.
What is our recommendation?
We continue to recommend trusting the Root TLS certificates for all secure endpoints. This approach removes the need for periodic renewal of server level certificates and helps prevent connection failures caused by expired leaf certificates.
How can I tell which TLS certificate I am using?
Contact your server administrator or your network support team.
Where can I find the TLS Root certificate?
Continue trusting the root certificate to maintain connectivity with supported endpoints. You can download the root certificate from this article:
Contact your Customer Support representatives with any questions.

Webhooks Updates

Webhooks version 1 will be decommissioned by end of the year 2026. See Webhooks version 2 in the Developer Center.

Enhanced Webhook URL Review and Approval Process

We are introducing an enhancement to webhook subscription processing to improve security, compliance, and visibility for webhook-related URLs. Webhook URLs will be validated and reviewed before they can be used. This includes both newly submitted subscriptions and existing subscriptions currently on file. This change is expected to take place at the end of May 2026.

What is Changing

When a webhook subscription is created or updated, the URLs associated with that subscription will be evaluated through a validation and approval process.
This applies to:
  • Webhook URL
     (required)
  • OAuth URL
     (if applicable)
  • Health Check URL
     (if applicable)
As part of this enhancement, clients might now see the following user-facing statuses:
  • PENDING_REVIEW
  • BLOCKED
The existing
INACTIVE
 status remains unchanged and continues to indicate that the subscription is approved and ready within the current lifecycle.

Status Descriptions

Status
Description
PENDING_REVIEW
One or more submitted URLs are being validated or awaiting required security approval.
BLOCKED
One or more URLs were rejected or identified as unsafe or non-compliant. The subscription cannot proceed until the URL(s) are updated.
INACTIVE
All required approvals are complete, and the subscription is ready under the existing activation flow.

How the New Process Works

  1. A webhook subscription is created or updated.
  2. Submitted URLs are checked against existing approval records.
  3. New or unknown URLs are evaluated through automated validation.
  4. If additional review is required, the subscription status changes to
    PENDING_REVIEW
    .
  5. If any URL is rejected or blocked, the subscription status changes to
    BLOCKED
    .
  6. If all required URLs are approved, the subscription status changes to
    INACTIVE
    .

Impact on Existing Subscriptions

After this change goes live, we will run existing webhook subscriptions through the new validation process:
  • Existing subscription URLs will be assessed using the new validation framework.
  • URLs that require additional security review might change the status of the subscription to
    PENDING_REVIEW
    .
  • If any existing URL is identified as blocked, the associated subscription status will be updated to
    BLOCKED
    .
In cases where a subscription status is change to
BLOCKED
, clients will be expected to perform these tasks:
  • Review the affected endpoint(s).
  • Update the URL(s) to an acceptable endpoint.
  • Resubmit the subscription for processing.

For New Subscriptions

New webhook-related URLs may go through validation and, if necessary, security review before the subscription can proceed.

For Existing Subscriptions

Current subscriptions will also be reviewed after they go live. If an existing endpoint does not meet the new validation requirements, the subscription status might be updated to
BLOCKED
 until the URL is corrected.

If Your Subscription is Marked BLOCKED

This means one or more URLs associated with the subscription cannot be used in their current form. To continue, the client must update the affected URL(s) and resubmit.

Why We are Making this Change

This enhancement is designed to:
  • Reduce security risk
     by preventing outbound calls to unapproved endpoints.
  • Improve compliance
     through stronger review and approval controls.
  • Increase transparency
     with clearer client-visible statuses.
  • Support scale
     through a standardized and repeatable validation process.

Message-Level Encryption Upcoming Mandate

An updated version of message-level encryption (MLE) will become mandatory in order for merchants to use the APIs. Portfolio owners must enable this updated version of MLE for their merchants by
September 2026
.
This required MLE update encrypts all data in your API response messages. The previous version of MLE encrypted only request messages. If your merchants are already using custom JSON Web Token messaging, they must also update how their system constructs JWTs. Merchants who are using HTTP signature messaging must migrate their system to JWT messaging.
You risk transaction failures if you do not implement this MLE update.

Overview of MLE

MLE is a robust security protocol designed to encrypt individual messages or payloads at the application layer. By protecting sensitive data at the message level, MLE ensures that your information remains secure as it moves through systems and networks, providing a layer of security beyond traditional transport encryption.
Enabling MLE requires you to create a REST API key for request messages and a
REST – API Response MLE
 key for response messages. If your organization is using a meta key, the portfolio account or merchant account user who created the meta key must also create the REST – API Response MLE key.
Update Methods
  • Create or update your custom MLE integration using JWTs with P12 certificates. For more information, see the Enable Message-Level Encryption section in the
    Getting Started with REST Developer Guide
    . For a method using shared secret key pairs, see the HTTP Messaging Migration to JWT Messaging section below.
  • Update your REST API SDK. For more information, see the
    REST API related products
     section in the Cybersource GitHub.

JSON Web Token Construction Update

There are new requirements for how to construct JSON Web Tokens (JWTs) in order to send API request messages. If you use a custom integration to construct JWTs, you must update your system to remain compliant. This update is necessary to support the new MLE requirements.
Update Methods

HTTP Messaging Migration to JWT Messaging

By
September 2026
, all merchants using HTTP signature messaging must migrate to JWT messaging in order to support MLE. Merchants already using HTTP signature messaging with shared secret key pairs can now continue using their existing keys with JWT messaging.
Update Method
See Construct JWT Messages Using a
Shared Secret Key Pair
 in the
Getting Started with REST Developer Guide

Smart Auth Retirement

Smart Auth, also known as SuperAuth, is being discontinued. This product was often included in the Essentials package of products for small merchants.
Support for Smart Auth is being discontinued in phases. The final end of life occurs October 5, 2026.
Merchants currently using Smart Auth will receive a 90-day product sunset notification.
Merchants interested in a similar product can use Fraud Management Essentials (FME). FME is an actively supported service that offers improved fraud protection capabilities and system reliability.

Bluefin P2PE Decryption: PCI P2PE Support Ending for PTS 3.X Terminals

Bluefin announced that their support for PCI P2PE on PTS 3.X payment terminals that ended on
April 30, 2026
. These devices are no longer supported or listed as part of Bluefin’s validated PCI P2PE solution.
Bluefin notified clients about the device support status. Customers still using PTS 3.X devices should transition to supported alternatives to remain compliant. For replacement and integration guidance, see the Guidance on Expiring Bluefin P2PE PTS Devices document.

Features Introduced This Week

Batch Processing Email
 | RM-44485

Description
This release updates the email that is sent when batch processing is complete. The enhanced email now includes:
  • The number of successfully processed transactions.
  • The number of declined transactions.
  • The number of transactions with missing responses.
These totals align with the number of transactions submitted in the batch, providing merchants with a quick, high-level status overview.
Mandate
Does not apply.
Audience
All merchants
who are not part of a portfolio. This release will be available to portfolio merchants in the coming months
.
Benefit
The enhanced email provides an immediate, high-level overview of batch processing results, enabling faster decision-making and improved operational efficiency by quickly identifying the overall success rate and any issues that might require attention.
Technical Details
None.
Important Dates
Released to production April 26, 2026.

Batch Processing Report
 | RM-44485

Description
A new report is generated for situations in which a transaction response was not received. Previously, when merchants uploaded batch files, two reports were generated:
reply.all
 and
reply.rejected
. In some scenarios, such as response latency, internal exceptions, or timeouts, a transaction response might not be received. Previously, those cases were communicated manually, and merchants were asked to review the processing status in the Business Center before retrying the transactions.
To improve transparency and reduce manual follow-up, an additional report is now generated automatically for transactions for which no response was received. These are the new report details:
  • Title:
    reply.missing.csv
    .
  • Location: Located with
    reply.all
     and
    reply.rejected
     reports.
  • Report contents: The file will contain the fields
    merchantRefCode
    ,
    merchantID
    , and
    requestID
    .
Mandate
Does not apply.
Audience
All merchants
who are not part of a portfolio. This release will be available to portfolio merchants in the coming months
.
Benefit
This new report enables merchants to easily identify transactions with missing responses.
Technical Details
Merchants are not required to take any additional actions when such transactions occur, and there are no changes to the existing reports.
Important Dates
Released to production April 26, 2026.

Fixed Issues

Oracle NetSuite Version 26.2.1

Description
This release fixes an issue that affected line item data handling within the Customer Payments workflow. Implementing this patch ensures that merchants maintain accurate and complete transaction records when processing customer payments, preventing potential discrepancies in financial reporting and order management workflows
Audience
Users of Oracle NetSuite.
Technical Details
None.
Important Dates
Released to production April 27, 2026.

Known Issues

Credit Transactions
 | EPS-37416

Description
An intermittent issue is causing some follow-on credits that were processed in Latin America to fail.
Audience
Merchants in Latin America.
Technical Details
The reason code is
150: The follow-on credit cannot be processed because the capture transaction has not been processed yet.
Workaround
None.

Click to Pay
 | EPS-37343

Description
For Romanian users of the Click to Pay Drop-In UI, the Phone Number field is being displayed as
Platiti cu cardul
 instead of
Număr de telefon
.
Audience
Users of Click to Pay who use the Romanian translation.
Technical Details
None.
Workaround
None.