What does TLS stand for?
TLS stands for Transport Layer Security, the set of protocols that provide encryption security for your connectivity system. The Payment Card Industry Data Security Standard, which governs the secure processing and transmission of credit card information, has set us a deadline of 3rd September 2018 for disabling early TLS versions (v1.0 - v1.1) and implementing a more secure encryption protocol, called TLS v1.2.
What is a TLS protocol?
TLS is a widely used protocol, designed to guarantee the safety of data transfers over a network. TLS encrypts a channel between two endpoints (for example, between Booking.com’s web server and your server) to ensure the privacy and reliability of data being transmitted.
Why is this important?
This change will ensure greater safety for transactions made via your system. Early versions of TLS (TLS v1.0 - v1.1) no longer meet minimum security standards due to security vulnerabilities in the protocol for which no fixes are available. As a result, data transmitted using these protocols can be intercepted and decrypted by malicious actors.
What version of TLS do I need to have?
You need to update to TLS version 1.2.
Does this change affect me even if I don’t deal with credit cards?
Yes. After 3rd September 2018, any provider with old versions of the TLS protocol will no longer be able to receive reservations from Booking.com – regardless of whether they handle credit card data or not.
PCI DSS requires all e-commerce platforms to update protocols that are no longer considered secure. This means that all connections established to create reservations or retrieve reservation data over public or untrusted channels using early versions of TLS will be blocked.
Does the update require any development time?
No, it only requires some time from your system administrator.
What if I already use TLS version 1.2?
If you’ve already updated to TLS 1.2, no action is required from your side. However, we recommend you check with our support team (email@example.com) to avoid any confusion.
Is there anything else I should do?
Yes, you should test all connections, not just reservation connections. You can do this by connecting to the Booking.com test entry points located at tls12-secure-supply-xml.booking.com. Please test all endpoints from your system via this domain entry point to confirm that they work properly. Following the test, revert your system back to the original domain entry point as we will shut this entry point shortly after the deadline.
Please note that these test entry points connect to the normal production servers. Therefore all transactions (requests or updates) sent will be treated like real transactions.
Is it possible to extend the deadline of 3rd September 2018?
Unfortunately no extensions are possible. 3rd September 2018 is the final deadline given to us by the Payment Card Industry Data Security Standard (PCI DSS), so we recommend you take action as soon as you can.
Could you provide Windows OS instructions on how to disable TLS 1.0./1.1 and enable 1.2?
Windows IIS configuration depends on the system and the version you use. Microsoft Support has several articles that explain how to do it.
What can I do if I work with other partners and I need to keep TLS 1.0 for backward compatibility?
We’re only asking partners to update to TLS 1.2 for connections with the Booking.com system. While we don’t recommend it, you will be able to maintain other encryption levels for other platforms. However, please be aware that any platform that still supports older versions of TLS after 3rd September 2018 will not be complying with the PCI standard.
Can you give me a list of properties currently using TLS 1.0, so I can upgrade properly?
Yes, we can send you a list of properties working with you that still use TLS 1.0. To request the list, please send an email to firstname.lastname@example.org. However, bear in mind that the list may not include every single property that uses TLS 1.0, as it will be based on XML calls made during a specific, limited period of time.
I have a question that isn’t covered here. How can I find out more?
If there’s anything else you’d like to know, please don’t hesitate to get in touch with us at email@example.com.