Maintaining Cybersource Connectivity Through Upcoming TLS Certificate Changes

Overview

This article explains two related changes that affect Transport Layer Security (TLS) certificates used to connect to Cybersource endpoints:

• Upcoming reductions to the maximum TLS certificate lifetime, driven by new CA/Browser Forum regulations.
• The removal of the root certificate from the certificate chain presented by Cybersource endpoint URLs, in alignment with RFC 5246.

Both changes reinforce the same recommended client action: continue to trust the Cybersource root certificate to maintain uninterrupted connectivity. This article applies to all clients connecting to Cybersource CAS/TEST and Production endpoints.

Background: TLS Certificate Lifetime Reductions

In alignment with new CA/Browser Forum regulations, the maximum TLS certificate lifetime will be reduced gradually as follows:

• From today until March 15, 2026 — maximum lifetime is 398 days.
• As of March 15, 2026 — maximum lifetime will be 200 days.
• As of March 15, 2027 — maximum lifetime will be 100 days.
• As of March 15, 2029 — maximum lifetime will be 47 days.

For more information about the TLS certificate lifetime changes, visit:
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

Because server-level (leaf) TLS certificates will have shorter lifespans and must be reissued more frequently, Cybersource recommends that clients trust the root certificate rather than relying on leaf certificates.

Change: Root Certificate Removal from the Presentation Chain

As part of the renewal cycle, the root certificate will be removed from the certificate list presented by Cybersource endpoint URLs. According to RFC 5246, the root certificate is optional in the chain presented by the server, and clients are required to have the root certificate already in their trust store.

There will be no change to the certificate currently in use — only the presentation chain is changing. The root certificate will no longer be included in the chain delivered by the server.

For further details, refer to the certificate list section of RFC 5246:
RFC 5246 – Section 7.4.2

Implementation Dates

• CAS/TEST Environment: June 7, 2026
• Production Environment: July 7, 2026

Affected Cybersource Endpoint URLs

CAS/TEST URLs

• accountupdatertest.cybersource.com
• apitest.cybersource.com
• batchtest.cybersource.com
• api.accountupdatertest.cybersource.com
• ics2wstest.ic3.com
• ics2wstesta.ic3.com

Production URLs

• accountupdater.cybersource.com
• api.cybersource.com
• batch.cybersource.com
• api.accountupdater.cybersource.com
• ics2ws.ic3.com
• ics2wsa.ic3.com
• ics2ws.in.ic3.com
• api.in.cybersource.com
• batch.in.cybersource.com

Required Client Action

Ensure that you continue to trust the root certificate to maintain connectivity with Cybersource endpoints. You can download the root certificate from the .zip file in the Attachments section below.

Common Questions

• How does this change affect Cybersource connectivity?
  • Server-level (leaf) SSL/TLS certificates issued by Cybersource will remain valid until their scheduled expiration. However, server-level (leaf) TLS certificates have shorter lifespans and must be reissued more frequently. Cybersource therefore recommends that clients trust the root certificate instead.
• What is Cybersource's recommendation?
  • Cybersource continues to recommend trusting the Root TLS certificates for all secure endpoints. This approach removes the need for periodic renewal of server-level certificates and helps prevent connection failures caused by expired leaf certificates.
• How can I tell what TLS certificate I am using?
  • You will need to engage your server administrator or your network support team.
• Where can I find the TLS Root certificate?
  • The root certificate is available in the Attachments section below. Please ensure that you continue to trust the root certificate to maintain connectivity with Cybersource endpoints.
• Is the certificate currently in use changing?
  • No. The certificate currently in use is not changing. Only the presentation chain is changing — the root certificate will no longer be included in the chain presented by Cybersource endpoints.

Additional Resources

• RFC 5246 – Section 7.4.2
• DigiCert: TLS Certificate Lifetimes Will Officially Reduce to 47 Days