USAePay wants to inform our partners and integrated software clients that the recent SSLv3 POODLE vulnerabilities have made SSLv3 no longer PCI-DSS-compliant. The issue came to the world’s attention in September 2014 when Google released a paper called “This POODLE Bites: Exploiting The SSL 3.0 Fallback”. POODLE stands for the Padding Oracle On Downgraded Legacy Encryption, and describes a vulnerability in the way in which websites use SSL encryption to communicate with users or servers.
The POODLE attack can be used against any browser or website that supports SSLv3. If your website or shopping cart solution has SSLv3 enabled an intruder can employ a “man-in-the-middle” exploit to decrypt sensitive information such as credit card data. We urge our partners to update their code base as soon as possible. Since this problem is in the protocol, anything that uses SSL is affected.
To mitigate the vulnerability USAePay will be disabling the use of SSLv3 on all processing URLs starting January 15th, 2015. Developers should start actively testing their updated software with TLS 1.x protocol on USAePay’s sandbox environment (https://sandbox.usaepay.com) where SSLv3 has already been disabled.
If merchants can not access https://sandbox.usaepay.com and they are using IE 8, they probably do not have TLS enabled. To enable TLS go to Tools → Internet Options → Advanced. Scroll to the bottom and check off TLS 1.0. Merchants using IE 8 should upgrade as soon as possible.