This article describes upcoming Cybersource Security initiated mandates and the latest updates related to each.
REST API Digest Parentheses Removal (REST HTTP Signature) - Production Implementation by Date: Relaxed
Cybersource API calls using HTTP Signature authentication must adhere to industry standards and will no longer support the use of parentheses within the HTTP header. This means that all parentheses within the HTTP header must be removed. Up to September, 2023, parentheses were used around the (request-target) in the headers. Currently, Production and Test environments accept the header with and without the parentheses. Once implemented, Cybersource will reject headers containing parentheses. You may verify compliance of your integration in advance by removing the parentheses, generating the signature, and testing in the current Test and Production environments.
Update:
A change was made internally to help mitigate this issue for our merchants. Our merchants are now able to send the HTTP Signature using the legacy "(request-target)" or new "request-target" formats.
SDK's have been updated to reflect this change. Please read more on our blog post with SDK links here.
Default Password p12 Keys (Simple Order API, REST JWT, Batch Upload, Account Updater Batch Upload) - Production Implementation by Date: February 28, 2024
All Cybersource issued P12 keys created after the production implementation date will be secured with a password set by the user during key generation as opposed to the current default password within the Cybersource Business Center. This password will not be stored within Cybersource systems and must be securely stored by the user to open the key file and/or for use with your API implementation. Because the password will be different from previous default passwords, you must now verify that you have set your password within your API to reference the key correctly.
If you use the Cybersource sample code:
Simple Order API
Within the configuration file (*.properties, *.config, *.ini, etc.) there should be a variable for the password of the p12 key. Within the Simple Order Java cybs.properties file it is called keyPassword. This variable may not have been set previously or may have been commented out. Please uncomment and enter the password you set in the Enterprise Business Center.
REST API JWT
You must reference the correct password in order to access the private key necessary to generate the JWT; some implementations may read the p12 key, or individual keys within. Depending on your implementation, extract the private key with the new password, or reference the password in your implementation in place of the current default password.
Batch File Upload / Account Updater Upload
Programmatic Batch Upload and Account Updater Upload both reference the p12 key file. In the Cybersource sample, the passPhrase is used to access the p12 key. Please set this value in the code / keystore / properties file to the new password and not the previous default password.
SHA 256 Envelope p12 Keys (Simple Order API, REST JWT) - Production Implement by Date: February 28th, 2024
P12 keys will be generated with an enhanced HmacPBESHA-256 algorithm. This may prevent older SDK’s and/or operating systems from accessing the key if they do not support higher strength keys. To ensure there is no impact to your Simple Order API implementation, please update to the latest version of the Cybersource SDK, and ensure your Operating System / Key Store / Programming Language can support these keys.
Update: As of December 7th, 2023 we have updated our test environment to generate p12 keys with a SHA256 envelope. These can be used to test your environment prior to our Production deployment.