What does TLS stand for?
TLS stands for Transport Layer Security, the set of protocols that provide encryption security for your connectivity system. The Payment Card Industry Data Security Standard, which governs the secure processing and transmission of credit card information, has set us a deadline of 30th January 2022 for disabling early TLS versions (v1.0 - v1.1) and implementing a more secure encryption protocol, called TLS v1.2 or later.
What is a TLS protocol?
TLS is a widely used protocol, designed to guarantee the safety of data transfers over a network. TLS encrypts a channel between two endpoints (for example, between Booking.com’s web server and your server) to ensure the privacy and reliability of data being transmitted.
Why is this important?
This change will ensure greater safety for transactions made via your system. Early versions of TLS (TLS v1.0 - v1.1) no longer meet minimum security standards due to security vulnerabilities in the protocol for which no fixes are available. As a result, data transmitted using these protocols can be intercepted and decrypted by malicious actors.
What version of TLS do I need to have?
You need to update to TLS version 1.2 or later.
Does this change affect me even if I don’t deal with credit cards?
Yes. After 30th January 2022, any provider with old versions of the TLS protocol will no longer be able to connect to any Booking.com API’s regardless of whether they handle credit card data or not.
Early versions of TLS (TLS v1.0 - v1.1) no longer meet minimum security standards due to security vulnerabilities in the protocol for which no fixes are available. As a result, data transmitted using these protocols can be intercepted and decrypted by malicious actors and therefore will be blocked.
Does the update require any development time?
No, it only requires some time from your system administrator.
What if I already use TLS version 1.2 or later?
If you’ve already updated to TLS 1.2 or later, no action is required from your side. However, we recommend you check with our support team (connectivity@booking.com) to avoid any confusion.
Is it possible to extend the deadline of 30th January 2022?
Unfortunately no extensions are possible. 30th January 2022 is the final deadline given to us by the Payment Card Industry Data Security Standard (PCI DSS), so we recommend you take action as soon as you can.
Could you provide Windows OS instructions on how to disable TLS 1.0./1.1 and enable 1.2?
Windows IIS configuration depends on the system and the version you use. Microsoft Support has several articles that explain how to do it.
What can I do if I work with other partners and I need to keep TLS 1.0 for backward compatibility?
We’re only asking partners to update to TLS 1.2 or later for connections with the Booking.com system. While we don’t recommend it, you will be able to maintain other encryption levels for other platforms. However, please be aware that any platform that still supports older versions of TLS after 30th January 2022 will not be complying with the PCI standard.
Can you give me a list of properties currently using TLS 1.0/1.1 so I can upgrade properly?
Yes, we can send you a list of properties working with you that still use TLS 1.0/1.1. To request the list, please send an email to connectivity@booking.com. However, bear in mind that the list may not include every single property that uses TLS 1.0/1.1, as it will be based on XML calls made during a specific, limited period of time.
I have a question that isn’t covered here. How can I find out more?
If there’s anything else you’d like to know, please don’t hesitate to get in touch with us at connectivity@booking.com.
Comments
0 comments
Article is closed for comments.