Transport Layer Security (TLS) Requirements for PSP Connectivity in EMC

This section contains information about TLS in relation to securing communications with Payment Service Providers (PSP).

No TLS Support

If TLS is not enabled, Simphony communicates with the PSP over standard HTTP without encryption. Customers using this configuration should implement compensating controls (for example, Microsoft NT LAN Manager (NTLM)) to help secure the network channel.

Note:

Oracle recommends using TLS whenever the PSP supports it.

TLS Server Certificate Support

This configuration has two options:

• No Certificate: The PSP uses TLS but does not provide a server certificate (.cer file) to the client. The communication is encrypted, but the client cannot validate the server’s identity (server private key validation is not possible).

• Certificates: Certificates validate the server’s public key presented to the client.

  • PSPs can use certificates from a known certificate authority. In this case the client can use the locally installed CA certificate to validate the server certificate.

  • PSPs can also use a self-signed certificate.

  • In either case, the PSP may provide a .cer file so the client can validate the presented X.509 certificate.

TLS Client Certificate Support (Mutual TLS)

Client certificates can validate that the workstation is a trusted client (mutual TLS).

Certificate issuance and lifecycle management are handled by the PSP and the customer’s PKI processes.

Client certificate files are typically .pfx files and contain both private and public keys, along with a password to access the file.