If you are currently unable to connect to the PayJunction website, you will need to make sure that you are using one of the following web browsers to restore your connection with PayJunction and have the highest level of security to protect yourself and your customers:
On October 14th, 2014 PayJunction was made aware of an internet-wide vulnerability in the security protocal SSLv3 (POODLE). To mitigate this, PayJunction has chosen to eliminate support of SSLv3 in accordance with industry best parctices as of October 2014.
This vulnerability can allow what is known as a 'Man in the Middle' (MITM) attack, which allows a malicious hacker to see the data being sent by a web browser to a web server, including credit card information. The simplified version of the attack works like this:
- You connect to PayJunction and your web browser tells our server that you want to use TLS security (still secure)
- The attacker then disrupts the communication, at which point your web browser tries to reconnect
- Since the first connection failed, the browser automatically tries to use SSLv3 (now insecure due to POODLE)
- Now you are vulnerable and the attacker can read the information sent from the browser, or even insert malicious data of their own
Due to this, sites all across the internet are rapidly updating their server software to disable SSLv3 completely just as we have, including Twitter, Facebook, CloudFlare, and many, many others.
Am I affected?
As of this writing, we have completely disabled access using SSLv3. If you are unable to load our website, you are very likely being affected by this issue.
How can I make sure that I am protecting myself and my customers from this vulnerability?
We have already taken the important step of disabling SSLv3, however it is always best to make sure that you have the most up-to-date browser installed, and that your operating system has the latest security updates installed. PayJunction recommends the following browsers:
Additional Security Measures
PayJunction has also taken further steps to protect our merchants and their customers by applying a 'Fallback' patch to our web servers which explicitly tells a web browser to only accept a certain security protocol, in this case TLS. This fallback patch will allow us to quickly mitigate future disclosed vulnerabilities of this type and was installed and working on our servers within an hour of our upstream providers making it available.