We're currently running EPiServer Commerce (EPiServer.Commerce.Core.8.15.0) using the version v4.1.3575.0 of the NSoftware Payment Integrator component (nsoftware.IBizPay.dll). I recently had to deal with UPS changing their web services to no longer support TLS 1.0. The NSoftware shipping component we used (v5.x) used TLS 1.0 by default. NSoftware was able to give us a line of code to use to force TLS 1.2 so this issue was resolved.
This made me think about our NSoftware payment component in EPiServer. Given that a v5.x dll didn't default to TLS 1.2, my guess was that v4.1 of the payment component wouldn't either. I verified using Wireshark that the credit card authorization calls to Chase Orbital on our site use TLS 1.0. Unlike our UPS issue where our code calls NSoftware directly, the NSoftware payment component is called by the Mediachase commerce code. In other words, I don't have access to the calls to the NSoftware method in order to specify any custom parameters as with the UPS issue.
1) Is there a way to use a newer version of the NSoftare Payment dll with EPiServer.Commerce.Core.8.15.0?
2) Do newer versions of EPiServer Commerce support the latest version of the NSoftware Payment dll (nsoftware.IBizPay.dll)? If so, what version?
3) If newer versions of EPiServer support a newer version of NSoftware, can you verify TLS 1.2 is used by default
I have not yet heard from Chase Paymenttech when they will no longer support TLS 1.0 but I did read that TLS 1.0 will no longer be accepted for PCI compliance as of June 30, 2016 (http://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/) so I would like to make sure our EPiServer Commerce site is updated for when this inevitably happens.
Thanks for the feedback, we will log a bug (COM-871) to support the minimum version of NSoftware that supports TLS 1.2 in an upcoming version. For your current version you could try a nuget force update version and update assembly bindings. I am not sure if there are breaking channges that affect the providers so an upgrade to a released version that fixes the issue might be the only option
I reached out to NSoftware. They said that just dropping in the version 6 dll over the version 4 dll will not work (as expected). However, they said not much as changed between 4 and 6 so updating EPiServer to support v6 should hopefully not take too much effort.
I reached out to Chase Paymenttech and they said that the Orbital gateway will no longer accept SSL and outdated TLS requests starting June 2016.
Due to licensing issues we have open sourced the nsoftware payment gateways and upgraded them to the latest version. To use the alatest version you will need to aquire a license from nsoftware