{"title":"Transport Layer Security (TLS)","category":"default","creationDate":1779533780,"content":"<p>The Transport Layer Security (TLS) protocol is essential for maintaining secure communications. Adyen uses TLS and TLS certificates to make sure of the following:<\/p>\n<ul>\n<li>The connection between your system and our platform is secure.<\/li>\n<li>You can verify that you are communicating with our platform.<\/li>\n<\/ul>\n<p>Different TLS versions support different cipher suites (encryption algorithms) to encrypt the data that is transported. In accordance with PCI DSS requirements, Adyen supports specific TLS versions and ciphers that the industry considers as strong.<\/p>\n<p>If you do not use the correct TLS version and cipher suite, it is possible that we cannot receive your API requests.<\/p>\n<h2>Requirements<\/h2>\n<p>Before you begin, check if the information on this page applies to you.<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Requirement<\/th>\n<th style=\"text-align: left;\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><strong>Integration type<\/strong><\/td>\n<td style=\"text-align: left;\">The information on this page is relevant for all Adyen integrations.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"supported-tls\">Supported TLS versions and ciphers<\/h2>\n<p>Different TLS versions support different cipher suites (encryption algorithms) to encrypt the data that is transported. In accordance with PCI DSS requirements, we support specific TLS versions and ciphers that the industry considers as strong. Cipher suites that are considered strong today may be considered weak in the future. Adyen continuously monitors which versions and cipher suites are used to connect to our platform. If you are using cipher suites or versions that we no longer consider secure, we notify you through <a href=\"\/account\/notification-center\">Customer Area notifications<\/a>. Make sure that you use a supported TLS version and cipher suite, otherwise it is possible that we cannot receive your API requests.<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">TLS version<\/th>\n<th style=\"text-align: left;\">Version support<\/th>\n<th>Supported ciphers<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\">TLS 1.2<\/td>\n<td style=\"text-align: left;\">Only supported for existing merchants using strong ciphers<\/td>\n<td>ECDHE-ECDSA-CHACHA20-POLY1305 <br> ECDHE-ECDSA-AES128-GCM-SHA256<br> ECDHE-ECDSA-AES256-GCM-SHA384 <br> ECDHE-RSA-AES256-GCM-SHA384 <br> ECDHE-RSA-CHACHA20-POLY1305 <br> ECDHE-RSA-AES128-GCM-SHA256<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">TLS 1.3<\/td>\n<td style=\"text-align: left;\">Supported <br>New integrations must use TLS 1.3<\/td>\n<td>TLS_AES_256_GCM_SHA384 <br> TLS_CHACHA20_POLY1305_SHA256<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"notices red\">\n<p>Make sure your TLS connections use SNI.<\/p>\n<\/div>\n<p>New integrations must use TLS 1.3 with the TLS_AES_256_GCM_SHA384 or TLS_CHACHA20_POLY1305_SHA256 cipher suite.<\/p>\n<p>If you are currently using TLS 1.2, we encourage you to <strong>update to TLS 1.3<\/strong> because TLS 1.3 offers significant improvements:<\/p>\n<ul>\n<li>Stronger encryption algorithms, including support for modern cipher suites like AES-GCM and ChaCha20-Poly1305. This makes data transmissions more resistant to attacks.<\/li>\n<li>Faster handshake: the performance is improved because establishing a secure connection is a lot faster.<\/li>\n<li>Forward secrecy: if a private key becomes compromised, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted.<\/li>\n<li>Removal of outdated and less secure cryptographic algorithms and features.<\/li>\n<\/ul>\n<h2>Certificate pinning<\/h2>\n<p>We strongly recommend that you do not use <a href=\"https:\/\/www.ssl.com\/blogs\/what-is-certificate-pinning\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">certificate pinning<\/a>.<\/p>\n<p>If you use certificate pinning, your platform only accepts the certificate that you pinned for Adyen. When we change our TLS certificate and present a different certificate during the TLS handshake, your application refuses to connect to our platform, even when the updated TLS certificate is issued by a trusted <a href=\"https:\/\/www.ssl.com\/article\/what-is-a-certificate-authority-ca\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Certificate Authority (CA)<\/a>.<\/p>\n<p>Why Adyen does not support certificate pinning of any kind:<\/p>\n<ul>\n<li>Outside of Adyen's control: your system handles certificate pinning. We do not know if you do it or which certificates you pin.<\/li>\n<li>Risk of failing connections: when we update our TLS certificate, and your system still expects the previous one, your connection to our platform breaks.<\/li>\n<\/ul>\n<h3>Certificate changes<\/h3>\n<p>When Adyen changes TLS certificates, no issues occur if you do not use certificate pinning. However, some organizations have policies that require certificate pinning, which can cause issues and broken connections with our platform.<\/p>\n<p>If you must use certificate pinning, do the following to reduce the risk of issues.<\/p>\n<ul>\n<li>Only pin the root certificates: instead of pinning the leaf certificates or the entire certificate chain, you must pin all of the following root certificates:\n<ul>\n<li><a href=\"https:\/\/www.digicert.com\/kb\/digicert-root-certificates.htm#:~:text=F0:AA:B7-,DigiCert Global Root CA,-Download PEM |\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">DigiCert Global Root CA<\/a><\/li>\n<li><a href=\"https:\/\/www.digicert.com\/kb\/digicert-root-certificates.htm#:~:text=expired &#xA0;&#xA0;revoked-,DigiCert Global Root G2,-Download PEM |\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">DigiCert Global Root G2<\/a><\/li>\n<li><a href=\"https:\/\/www.digicert.com\/kb\/digicert-root-certificates.htm#:~:text=expired &#xA0;&#xA0;revoked-,DigiCert Global Root G3,-Download PEM |\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">DigiCert Global Root G3<\/a><\/li>\n<\/ul><\/li>\n<li>Keep track of TLS certificate updates: even if you pin all the root certificates, Adyen can add a new Root Certificate Authority (Root CA) to our trust store in the following cases:\n<ul>\n<li>Regular business practice: we send a <a href=\"\/account\/notification-center#service-status-messages\">system message<\/a> to notify you 30 days before we make the change.<\/li>\n<li>Emergency cases: the notice period can be shorter before we make the change.<\/li>\n<\/ul><\/li>\n<\/ul>\n<p>It is your responsibility to ensure your applications (for example, web or mobile) can handle any certificate changes.<\/p>\n<h2>See also<\/h2>\n<div class=\"see-also-links output-inline\" id=\"see-also\">\n<ul><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\"\n                        target=\"_blank\"\n                         class=\"external\">\n                    Read more about Transport Layer Security\n                <\/a><\/li><\/ul><\/div>\n","url":"https:\/\/docs.adyen.com\/development-resources\/security\/sensitive-data\/tls","articleFields":{"description":"Use the correct TLS configuration to protect data during transmission.","feedback_component":true,"filters_component":false,"decision_tree":"[]"},"algolia":{"url":"https:\/\/docs.adyen.com\/development-resources\/security\/sensitive-data\/tls","title":"Transport Layer Security (TLS)","content":"The Transport Layer Security (TLS) protocol is essential for maintaining secure communications. Adyen uses TLS and TLS certificates to make sure of the following:\n\nThe connection between your system and our platform is secure.\nYou can verify that you are communicating with our platform.\n\nDifferent TLS versions support different cipher suites (encryption algorithms) to encrypt the data that is transported. In accordance with PCI DSS requirements, Adyen supports specific TLS versions and ciphers that the industry considers as strong.\nIf you do not use the correct TLS version and cipher suite, it is possible that we cannot receive your API requests.\nRequirements\nBefore you begin, check if the information on this page applies to you.\n\n\n\nRequirement\nDescription\n\n\n\n\nIntegration type\nThe information on this page is relevant for all Adyen integrations.\n\n\n\nSupported TLS versions and ciphers\nDifferent TLS versions support different cipher suites (encryption algorithms) to encrypt the data that is transported. In accordance with PCI DSS requirements, we support specific TLS versions and ciphers that the industry considers as strong. Cipher suites that are considered strong today may be considered weak in the future. Adyen continuously monitors which versions and cipher suites are used to connect to our platform. If you are using cipher suites or versions that we no longer consider secure, we notify you through Customer Area notifications. Make sure that you use a supported TLS version and cipher suite, otherwise it is possible that we cannot receive your API requests.\n\n\n\nTLS version\nVersion support\nSupported ciphers\n\n\n\n\nTLS 1.2\nOnly supported for existing merchants using strong ciphers\nECDHE-ECDSA-CHACHA20-POLY1305  ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384  ECDHE-RSA-AES256-GCM-SHA384  ECDHE-RSA-CHACHA20-POLY1305  ECDHE-RSA-AES128-GCM-SHA256\n\n\nTLS 1.3\nSupported New integrations must use TLS 1.3\nTLS_AES_256_GCM_SHA384  TLS_CHACHA20_POLY1305_SHA256\n\n\n\n\nMake sure your TLS connections use SNI.\n\nNew integrations must use TLS 1.3 with the TLS_AES_256_GCM_SHA384 or TLS_CHACHA20_POLY1305_SHA256 cipher suite.\nIf you are currently using TLS 1.2, we encourage you to update to TLS 1.3 because TLS 1.3 offers significant improvements:\n\nStronger encryption algorithms, including support for modern cipher suites like AES-GCM and ChaCha20-Poly1305. This makes data transmissions more resistant to attacks.\nFaster handshake: the performance is improved because establishing a secure connection is a lot faster.\nForward secrecy: if a private key becomes compromised, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted.\nRemoval of outdated and less secure cryptographic algorithms and features.\n\nCertificate pinning\nWe strongly recommend that you do not use certificate pinning.\nIf you use certificate pinning, your platform only accepts the certificate that you pinned for Adyen. When we change our TLS certificate and present a different certificate during the TLS handshake, your application refuses to connect to our platform, even when the updated TLS certificate is issued by a trusted Certificate Authority (CA).\nWhy Adyen does not support certificate pinning of any kind:\n\nOutside of Adyen's control: your system handles certificate pinning. We do not know if you do it or which certificates you pin.\nRisk of failing connections: when we update our TLS certificate, and your system still expects the previous one, your connection to our platform breaks.\n\nCertificate changes\nWhen Adyen changes TLS certificates, no issues occur if you do not use certificate pinning. However, some organizations have policies that require certificate pinning, which can cause issues and broken connections with our platform.\nIf you must use certificate pinning, do the following to reduce the risk of issues.\n\nOnly pin the root certificates: instead of pinning the leaf certificates or the entire certificate chain, you must pin all of the following root certificates:\n\nDigiCert Global Root CA\nDigiCert Global Root G2\nDigiCert Global Root G3\n\nKeep track of TLS certificate updates: even if you pin all the root certificates, Adyen can add a new Root Certificate Authority (Root CA) to our trust store in the following cases:\n\nRegular business practice: we send a system message to notify you 30 days before we make the change.\nEmergency cases: the notice period can be shorter before we make the change.\n\n\nIt is your responsibility to ensure your applications (for example, web or mobile) can handle any certificate changes.\nSee also\n\n\n                    Read more about Transport Layer Security\n                \n","type":"page","locale":"en","boost":16,"hierarchy":{"lvl0":"Home","lvl1":"Development resources","lvl2":"Security resources","lvl3":"Protecting sensitive data","lvl4":"Transport Layer Security (TLS)"},"hierarchy_url":{"lvl0":"https:\/\/docs.adyen.com\/","lvl1":"https:\/\/docs.adyen.com\/development-resources","lvl2":"https:\/\/docs.adyen.com\/development-resources\/security","lvl3":"https:\/\/docs.adyen.com\/development-resources\/security\/sensitive-data","lvl4":"\/development-resources\/security\/sensitive-data\/tls"},"levels":5,"category":"Development Resources","category_color":"green","tags":["Transport","Layer","Security","(TLS)"]}}