On This Page
Release Notes
These release notes cover all releases to the production server for the week ending
June 18, 2026
.Announcements
These announcements are for
June 18, 2026
.TLS Update
TLS Certificate Lifetime Reduction
In alignment with new CA/Browser Forum regulations, the maximum TLS certificate lifetime
will be reduced gradually as follows:
• Currently, the maximum lifetime for a TLS certificate is 200 days.
• Beginning March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
• Beginning March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
See this blog for more information about the TLS certificate lifetime changes:
How will this change impact connectivity?
Server-level (leaf) SSL/TLS certificates will remain valid until their scheduled expiration.
Server-level (leaf) TLS certificates have shorter lifespans and must be reissued more
frequently. We therefore recommend that clients trust the root certificate instead.
What is our recommendation?
We continue to recommend trusting the Root TLS certificates for all secure
endpoints. This approach removes the need for periodic renewal of server level certificates
and helps prevent connection failures caused by expired leaf certificates.
How can I tell which TLS certificate I am using?
Contact your server administrator or your network support team.
Where can I find the TLS Root certificate?
Continue trusting the root certificate to maintain connectivity with supported endpoints. You
can download the root certificate from this article:
Contact your Customer Support representatives with any questions.
Webhooks Updates
Webhooks version 1 will be decommissioned by end of the year 2026. See Webhooks version 2 in the Developer
Center.
Enhanced Webhook URL Review and Approval Process
We are introducing an enhancement to webhook subscription processing to improve security,
compliance, and visibility for webhook-related URLs. Webhook URLs will be validated and
reviewed before they can be used. This includes both newly submitted subscriptions and
existing subscriptions currently on file. This change is expected to take place in June 2026.
What is Changing
What is Changing
When a webhook subscription is created or updated, the URLs associated with that
subscription will be evaluated through a validation and approval process.
This applies to:
- Webhook URL(required)
- OAuth URL(if applicable)
- Health Check URL(if applicable)
As part of this enhancement, clients might now see the following user-facing statuses:
- PENDING_REVIEW
- BLOCKED
The existing
INACTIVE
status remains unchanged and continues to indicate that the
subscription is approved and ready within the current lifecycle.Status Descriptions
Status | Description |
|---|---|
PENDING_REVIEW | One or more submitted URLs are being validated or awaiting required security
approval. |
BLOCKED | One or more URLs were rejected or identified as unsafe or non-compliant. The
subscription cannot proceed until the URL(s) are updated. |
INACTIVE | All required approvals are complete, and the subscription is ready under the
existing activation flow. |
How the New Process Works
How the New Process Works
- A webhook subscription is created or updated.
- Submitted URLs are checked against existing approval records.
- New or unknown URLs are evaluated through automated validation.
- If additional review is required, the subscription status changes toPENDING_REVIEW.
- If any URL is rejected or blocked, the subscription status changes toBLOCKED.
- If all required URLs are approved, the subscription status changes toINACTIVE.
Impact on Existing Subscriptions
Impact on Existing Subscriptions
After this change goes live, we will run existing webhook subscriptions through the new
validation process:
- Existing subscription URLs will be assessed using the new validation framework.
- URLs that require additional security review might change the status of the subscription toPENDING_REVIEW.
- If any existing URL is identified as blocked, the associated subscription status will be updated toBLOCKED.
In cases where a subscription status is change to
BLOCKED
, clients will be expected to
perform these tasks:- Review the affected endpoint(s).
- Update the URL(s) to an acceptable endpoint.
- Resubmit the subscription for processing.
For New Subscriptions
For New Subscriptions
New webhook-related URLs may go through validation and, if necessary, security review before
the subscription can proceed.
For Existing Subscriptions
For Existing Subscriptions
Current subscriptions will also be reviewed after they go live. If an existing endpoint does
not meet the new validation requirements, the subscription status might be updated to
BLOCKED
until the URL is corrected.If Your Subscription Is Marked BLOCKED
If Your Subscription Is Marked BLOCKED
This means one or more URLs associated with the subscription cannot be used in their
current form. To continue, the client must update the affected URL(s) and resubmit.
Why We Are Making This Change
Why We Are Making This Change
This enhancement is designed to:
- Reduce security riskby preventing outbound calls to unapproved endpoints.
- Improve compliancethrough stronger review and approval controls.
- Increase transparencywith clearer client-visible statuses.
- Support scalethrough a standardized and repeatable validation process.
Message-Level Encryption Upcoming Mandate
An updated version of message-level encryption (MLE) will become mandatory in order for
merchants to use the APIs. Portfolio owners must enable this updated version of MLE for their
merchants by
September 2026
.This required MLE update encrypts all data in your API response messages. The previous
version of MLE encrypted only request messages. If your merchants are already using custom
JSON Web Token messaging, they must also update how their system constructs JWTs. Merchants
who are using HTTP signature messaging must migrate their system to JWT messaging.
You risk transaction failures if you do not implement this MLE update.
Overview of MLE
MLE is a robust security protocol designed to encrypt individual messages or payloads
at the application layer. By protecting sensitive data at the message level, MLE ensures
that your information remains secure as it moves through systems and networks, providing a
layer of security beyond traditional transport encryption.
Enabling MLE requires you to create a REST API key for request messages and a
REST
– API Response MLE
key for response messages. If your organization is using
a meta key, the portfolio account or merchant account user who created the meta key
must also create the REST – API Response MLE key.- Update Methods
- Create or update your custom MLE integration using JWTs with P12 certificates. For more information, see the Enable Message-Level Encryption section in theGetting Started with REST Developer Guide. For a method using shared secret key pairs, see the HTTP Messaging Migration to JWT Messaging section below.
- Update your REST API SDK. For more information, see theREST API related productssection in the Cybersource GitHub.
JSON Web Token Construction Update
There are new requirements for how to construct JSON Web Tokens (JWTs) in order to
send API request messages. If you use a custom integration to construct JWTs, you must
update your system to remain compliant. This update is necessary to support the new MLE requirements.
- Update Methods
- See Construct JWT Messages Using aP12 Certificatein theGetting Started with REST Developer Guide
- See Construct JWT Messages Using aShared Secret Key Pairin theGetting Started with REST Developer Guide
HTTP Messaging Migration to JWT Messaging
By
September 2026
, all merchants using HTTP signature messaging must migrate
to JWT messaging in order to support MLE. Merchants already using HTTP signature
messaging with shared secret key pairs can now continue using their existing keys
with JWT messaging. - Update Method
- See Construct JWT Messages Using aShared Secret Key Pairin theGetting Started with REST Developer Guide
Smart Auth Retirement
Smart Auth, also known as SuperAuth, is being discontinued. This product was often included in
the Essentials package of products for small merchants.
Support for Smart Auth is being discontinued in phases. The final end of life occurs October 5,
2026.
Merchants currently using Smart Auth will receive a 90-day product sunset
notification.
Merchants interested in a similar product can use Fraud Management Essentials (FME). FME is an actively supported service that offers improved fraud protection capabilities and system reliability.
Features Introduced This Week
REST API | RM-45368
REST API
| RM-45368- Description
- The Merchant Country of Origin feature adds a field to transaction messages that identifies the country where a merchant is legally registered, independent of where the transaction occurs. It is primarily required for government-controlled merchants when their country of origin differs from the acquiring or processing country, ensuring accurate representation in authorization and clearing.
- Mandate
- Mastercard mandate AN 8026.
- Audience
- Merchants who use these merchant category codes:
- 9211 (Court costs including alimony and child support)
- 9222 (Fines)
- 9311 (Tax payments)
- 9399 (Government services - not elsewhere classified)
- 9402 (Postal services - government only)
- 9405 (Intra-government purchases-government only)
- 9406 (Government-owned lottery; global, excluding U.S. region)
- Benefits
- Improves compliance with card network mandates
- Supports issuer decisioning, monitoring, and regulatory controls
- Helps prevent fines
- Technical Details
- Merchants should provide their valid country code in themerchantInformation.merchantDescriptor.countryOfOriginfield.
- Important Dates
- Released to production June 18, 2026.
Fixed Issues
No customer-facing fixes were released this week.
Known Issues
Invoicing | EPS-38316
Invoicing
| EPS-38316- Description
- A bug is causing the invoice tax amount to be overridden with a value of 0 for digital wallet payments.
- Audience
- Merchants using Invoicing with digital wallet payments enabled.
- Technical Details
- None.
- Workaround
- None.
Partner Risk Controls | EPS-38325
Partner Risk Controls
| EPS-38325- Description
- When a portfolio's subordinate account moves a merchant ID to a different risk profile in the Partner Risk Control feature in the Business Center, the change may take longer than expected to take effect. In some cases, it can take up to 24 hours, resulting in transactions continuing to be processed under the previous risk profile even after reassignment.
- Audience
- Acquirers.
- Technical Details
- None.
- Workaround
- None.
Decision Manager | EPS-38386
Decision Manager
| EPS-38386- Description
- Sometimes Case Management's Summary view displays some merchant-defined data fields as string-encoded data instead of plain text. However, in Case Details, the fields appear correctly in plain text.
- Audience
- Owners of single portfolios.
- Technical Details
- None.
- Workaround
- None.