Release Notes {#rn-general} =========================== These release notes cover all releases to the production server for the week ending June 12, 2026. Announcements {#rn-announce} ============================ These announcements are for June 12, 2026. Webhooks Updates {#webhooks-validations-decommission} ===================================================== Webhooks version 1 will be decommissioned by end of the year 2026. See [Webhooks version 2 in the Developer Center](https://developer.cybersource.com/api-reference-assets/index.md#webhooks ""). Enhanced Webhook URL Review and Approval Process {#webhooks-urls} ================================================================= We are introducing an enhancement to webhook subscription processing to improve security, compliance, and visibility for webhook-related URLs. Webhook URLs will be validated and reviewed before they can be used. This includes both newly submitted subscriptions and existing subscriptions currently on file. This change is expected to take place in June 2026. **What is Changing** {#webhooks-urls_section_dnx_jdt_1jc} --------------------------------------------------------- When a webhook subscription is created or updated, the URLs associated with that subscription will be evaluated through a validation and approval process. This applies to: * **Webhook URL** (required) * **OAuth URL** (if applicable) * **Health Check URL** (if applicable) {#webhooks-urls_ul_enx_jdt_1jc} As part of this enhancement, clients might now see the following user-facing statuses: * **PENDING_REVIEW** * **BLOCKED** {#webhooks-urls_ul_fnx_jdt_1jc} The existing **INACTIVE** status remains unchanged and continues to indicate that the subscription is approved and ready within the current lifecycle. Status Descriptions ------------------- | **Status** | **Description** | |--------------------|----------------------------------------------------------------------------------------------------------------------------------------| | **PENDING_REVIEW** | One or more submitted URLs are being validated or awaiting required security approval. | | **BLOCKED** | One or more URLs were rejected or identified as unsafe or non-compliant. The subscription cannot proceed until the URL(s) are updated. | | **INACTIVE** | All required approvals are complete, and the subscription is ready under the existing activation flow. | **How the New Process Works** {#webhooks-urls_section_hnx_jdt_1jc} ------------------------------------------------------------------ 1. A webhook subscription is created or updated. 2. Submitted URLs are checked against existing approval records. 3. New or unknown URLs are evaluated through automated validation. 4. If additional review is required, the subscription status changes to **PENDING_REVIEW**. 5. If any URL is rejected or blocked, the subscription status changes to **BLOCKED**. 6. If all required URLs are approved, the subscription status changes to **INACTIVE**. {#webhooks-urls_ol_inx_jdt_1jc} **Impact on Existing Subscriptions** {#webhooks-urls_section_jnx_jdt_1jc} ------------------------------------------------------------------------- After this change goes live, we will run existing webhook subscriptions through the new validation process: * Existing subscription URLs will be assessed using the new validation framework. * URLs that require additional security review might change the status of the subscription to **PENDING_REVIEW**. * If any existing URL is identified as blocked, the associated subscription status will be updated to **BLOCKED**. {#webhooks-urls_ul_knx_jdt_1jc} In cases where a subscription status is change to **BLOCKED**, clients will be expected to perform these tasks: * Review the affected endpoint(s). * Update the URL(s) to an acceptable endpoint. * Resubmit the subscription for processing. {#webhooks-urls_ul_lnx_jdt_1jc} **For New Subscriptions** {#webhooks-urls_section_mnx_jdt_1jc} -------------------------------------------------------------- New webhook-related URLs may go through validation and, if necessary, security review before the subscription can proceed. **For Existing Subscriptions** {#webhooks-urls_section_nnx_jdt_1jc} ------------------------------------------------------------------- Current subscriptions will also be reviewed after they go live. If an existing endpoint does not meet the new validation requirements, the subscription status might be updated to **BLOCKED** until the URL is corrected. **If Your Subscription Is Marked BLOCKED** {#webhooks-urls_section_onx_jdt_1jc} ------------------------------------------------------------------------------- This means one or more URLs associated with the subscription cannot be used in their current form. To continue, the client must update the affected URL(s) and resubmit. **Why We Are Making This Change** {#webhooks-urls_section_pnx_jdt_1jc} ---------------------------------------------------------------------- This enhancement is designed to: * **Reduce security risk** by preventing outbound calls to unapproved endpoints. * **Improve compliance** through stronger review and approval controls. * **Increase transparency** with clearer client-visible statuses. * **Support scale** through a standardized and repeatable validation process. {#webhooks-urls_ul_qnx_jdt_1jc} Message-Level Encryption Upcoming Mandate {#announcement-mle} ============================================================= An updated version of message-level encryption (MLE) will become mandatory in order for merchants to use the APIs. Portfolio owners must enable this updated version of MLE for their merchants by **September 2026**. This required MLE update encrypts all data in your API response messages. The previous version of MLE encrypted only request messages. If your merchants are already using custom JSON Web Token messaging, they must also update how their system constructs JWTs. Merchants who are using HTTP signature messaging must migrate their system to JWT messaging. > You risk transaction failures if you do not implement this MLE update. Overview of MLE --------------- MLE is a robust security protocol designed to encrypt individual messages or payloads at the application layer. By protecting sensitive data at the message level, MLE ensures that your information remains secure as it moves through systems and networks, providing a layer of security beyond traditional transport encryption. Enabling MLE requires you to create a REST API key for request messages and a *REST -- API Response MLE* key for response messages. If your organization is using a meta key, the portfolio account or merchant account user who created the meta key must also create the REST -- API Response MLE key. Update Methods : * Create or update your custom MLE integration using JWTs with P12 certificates. For more information, see the [Enable Message-Level Encryption](https://developer.cybersource.com/docs/cybs/en-us/platform/developer/all/rest/rest-getting-started/restgs-jwt-message-intro/restgs-mle-intro.md "") section in the *Getting Started with REST Developer Guide*. For a method using shared secret key pairs, see the HTTP Messaging Migration to JWT Messaging section below. * Update your REST API SDK. For more information, see the *REST API related products* section in the [Cybersource GitHub](https://github.com/CyberSource ""). JSON Web Token Construction Update ---------------------------------- There are new requirements for how to construct JSON Web Tokens (JWTs) in order to send API request messages. If you use a custom integration to construct JWTs, you must update your system to remain compliant. This update is necessary to support the new MLE requirements. Update Methods : * See [Construct JWT Messages Using a P12 Certificate](https://developer.cybersource.com/docs/cybs/en-us/platform/developer/all/rest/rest-getting-started/restgs-jwt-message-intro/restgs-jwt-const-intro.md "") in the *Getting Started with REST Developer Guide* * See [Construct JWT Messages Using a Shared Secret Key Pair](https://developer.cybersource.com/docs/cybs/en-us/platform/developer/all/rest/rest-getting-started/restgs-jwt-shared-secret-intro/restgs-jwt-con-shared-secret-intro.md "") in the *Getting Started with REST Developer Guide* HTTP Messaging Migration to JWT Messaging ----------------------------------------- By **September 2026** , all merchants using HTTP signature messaging must migrate to JWT messaging in order to support MLE. Merchants already using HTTP signature messaging with shared secret key pairs can now continue using their existing keys with JWT messaging. Update Method : See [Construct JWT Messages Using a Shared Secret Key Pair](https://developer.cybersource.com/docs/cybs/en-us/platform/developer/all/rest/rest-getting-started/restgs-jwt-shared-secret-intro.md "") in the *Getting Started with REST Developer Guide* Smart Auth Retirement {#smart-auth-eol-33440} ============================================= Smart Auth, also known as SuperAuth, is being discontinued. This product was often included in the Essentials package of products for small merchants. Support for Smart Auth is being discontinued in phases. The final end of life occurs October 5, 2026. Merchants currently using Smart Auth will receive a 90-day product sunset notification. Merchants interested in a similar product can use Fraud Management Essentials (FME). FME is an actively supported service that offers improved fraud protection capabilities and system reliability. Features Introduced This Week {#rn-features} ============================================ No customer-facing features were released this week. Fixed Issues {#rn-fixed-issues} =============================== **Merchant-Initiated Transactions** \| RM-46054 ----------------------------------------------- Description : Cybersource assigns ISO Field 60 based on certain merchant parameters. Until now, subfield 60.8 has had a value of 02 for global recurring transactions, however, 02 applies only for U.S. and Canada. 07 is now supported for the rest of the world. Audience : All acquirers and merchants who process recurring merchant-initiated transactions outside the U.S. and Cananda. Technical Details : None. Important Dates : Released to Production June 12, 2026. Known Issues {#rn-known-issues} =============================== **Virtual Terminal** \| EPS-37322 --------------------------------- Description : In the Virtual Terminal, when the ZIP/Postal Code is set as Required, that requirement is not being enforced for countries other than the U.S. and Canada. Audience : Merchants outside the U.S. and Canada who use the Virtual Terminal. Technical Details : None. Workaround : None. **Fraud Management Essentials** \| EPS-37175 -------------------------------------------- Description : Exporting the Rule Performance Report generates incorrect values, causing numeric fields to appear duplicated. For example, a field that contains *123* is exported as *123123*. Audience : Users of Fraud Management Essentials. Technical Details : None. Workaround : None. **Credit Authorizations** \| EPS-37776 -------------------------------------- Description : When a Credit Authorization is submitted using the REST APIs */credit* endpoint and the authorization fails, the submitTimeUtc field is not returned. Audience : Users of the REST API. Technical Details : None. Workaround : None. **Voids** \| EPS-37884 ---------------------- Description : When a merchant in India attempts to void a transaction in the Business Center, an error message appears that says: *Request failed due to system error*, even in cases where the void was successful. Audience : Merchants in India. Technical Details : None. Workaround : None. **Payments through TSYS** \| EPS-37988 -------------------------------------- Description : A bug is triggered when a merchant submits a request for a combined authorization and capture transaction that includes the `ignore_bad_cv` field with a value of `yes`. If the authorization part of the transaction is hard-declined (Reason Code 203), the transaction is captured. This is incorrect because the transaction should be captured only for a soft-decline (Reason Code 230). Audience : Merchants who process transactions through TSYS Acquiring Solutions. Technical Details : None. Workaround : None. **Partner Risk Controls (PaRC)** \| EPS-38258 --------------------------------------------- Description : PaRC users are unable to remove MIDs (merchant accounts) from PaRC profiles. Audience : Merchants in Central Europe, the Middle East, and Africa. Technical Details : None. Workaround : Create a temporary profile, set the temporary profile to default, and then delete the temporary profile. This removes the default tag from the current profile, which fixes the problem.