Dear CA Payment Security Customer and Partner,
This Advisory is to inform you of a forthcoming Emergency Maintenance update for SaaS Customers using the “$ Authorization Service” for performing cardholder verification during 3-D Secure new enrollment and password reset flows.
Who is affected by this Advisory?
This Advisory applies only to Issuers who are validating payment card account details such as Card Numbers, CVV, Expiry Date and Postal Code using “$ Authorization Service” during initial cardholder enrolment or password reset operations. Where the “$ Authorization Service” is not used this Advisory does not apply.
Where the issuer does use the “$ Authorization Service” normal purchase transaction processing for any cardholder who is already enrolled for 3-D Secure and who does not need to reset their password during a 3-D Secure purchase transaction will not be affected.
The following types of transaction may be unable to complete successfully only in the case where the cardholder is shopping at a 3-D Secure enabled merchant during the maintenance window and where the issuer does use the “$ Authorization Service” in their configuration on CA’s Transaction Manager SaaS platform:
Where card details are required to be validated during cardholder enrolment or password reset flows, for some issuers the CA SaaS platform performs this validation by sending a “$ Authorization” to the issuing bank via an Acquirer, just as a real e-commerce merchant would do. The interface to the Service Provider operates via a TLS connection between the CA SaaS platform and the Service Provider.
CA received notification on February 5th 2016 of a change being implemented by the Service Provider on February 10 2016 (GMT time zone) that affects the “$ Authorization” function used by the CA Transaction Manager SaaS platform. The Service Provider is updating their servers’ certificates for Secure Socket Layer (SSL) and Transport Layer Security (TLS) communications to comply with the latest industry requirements and best practices.
As a result of the Service Provider’s certificate update, CA must also perform a coordinated update on the SaaS Platform to the backend certificates used for communicating with the $ Authorization Service Provider. Because of the short notice period given by the Service Provider CA is required to schedule this as an Emergency Maintenance update to the SaaS platform, as per our standard Service Level Agreement. CA has explored whether the Service Provider can delay their update however they are unable to do so owing to the number of merchants they support.
CA worked immediately after notification by the Service Provider to research the required configuration changes and validate these using the Service Provider’s test environment. This testing process has been successfully concluded and the required changes to the production platform identified. The changes involve configuring additional root certificates to enable the Service Provider’s new server certificates to be validated by the CA SaaS Platform.
Service Availability Monitoring
CA will be performing a coordinated update of the TLS/SSL certificates used for communication with the $ Authorization Service Provider during the maintenance window.
The CA Support team and CA SaaS Hosting teams will be monitoring the Transaction Manager SaaS platform to verify the success of the update.
In the event that the $ Authorization Service Provider performs a rollback of their changes the CA SaaS platform will automatically fall back to the configuration used prior to the Service Provider’s update and the $ Authorization function will continue to operate normally.
For all production issues identified during upgrade and post upgrade, please contact the CA Support team at by phone at 1-866-992-7268 (or your regional support contact) or by email at Arcot-Support@ca.com.
The CA Payment Security Team