Security is always an important issue in today’s online culture. Obviously, you want to ensure that your data, money, and transactions are conducted in a secure, encrypted manner – and that is also in our best interest. After all, if we at Barion cannot guarantee that security, why would you entrust your money to us?

The importance of PCI DSS

For that reason, our products comply with the Payment Card Industry (PCI) Data Security Standard (DSS), to ensure that your transaction and bank card data are as secure as possible. To comply with the expectations and regulations of the various card issuers (Mastercard, Visa, Amex, and so on), we need to take a very close look at the cipher suites we use when you connect via HTTPS to our APIs or our secure site – and of course, this applies to both inbound and outbound traffic (that is, also when we are sending data to you). The cipher suites encrypt the data during the whole information exchange process, with the decryption happening both at your end and at ours. This way, those extremely important digits that give access to your bank account are protected during the whole duration of the transaction, ensuring that no outsider can gain access to the encrypted information flow.

While these standards, encryption/decryption methods, and relevant identification protocols may seem a hassle on the surface, we want to follow and implement them, and not only because these are required by the card industry. If we would not do so, well, paying through Barion just might result in a very happy scammer/phisher messaging you that all your banking data are belong to them. And we imagine that you would like that even less than we do.

Our solution

To avoid such problems, we are updating both our incoming and our outgoing Transport Layer Security (TLS) encryption starting June 1, 2023, in a twofold way. First, we are routing most of our outbound and inbound traffic (already around 98% of our total) to use TLS 1.3. Second, we are ensuring that our TLS 1.2 connections use the accepted, trusted cipher suites, while the TLS 1.2 cipher suites that are deemed weak, will be discarded.

This ensures the cipher suites we are using conform to the latest industry recommendations, in both directions of the communication. Also, if we did not ensure that our side also complies with these industry regulations, all Barion transactions would flat-out vanish into the digital void.

Our TLS 1.2 ciphers

From June 1, 2023, onwards, our Cloudflare-protected endpoint checks for and employs the following encryption suites when sending or receiving communication using TLS 1.2:

• TLS_AES_128_GCM_SHA256,

• TLS_AES_256_GCM_SHA384,

• TLS_CHACHA20_POLY1305_SHA256,

• ECDHE-ECDSA-AES128-GCM-SHA256,

• ECDHE-RSA-AES128-GCM-SHA256,

• ECDHE-ECDSA-AES256-GCM-SHA384,

• ECDHE-RSA-AES256-GCM-SHA384,

• ECDHE-ECDSA-CHACHA20-POLY1305,

• ECDHE-RSA-CHACHA20-POLY1305

You can check the details at Cloudflare here.

If you are already using these cipher suites, you have nothing further to do at this point.

Unsupported TLS 1.2 cipher suites

If you are using any of the following TLS 1.2 cipher suites, you need to switch to using one of the above, supported TLS 1.2 suites, or switch to TLS 1.3:

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_AES_256_CBC_SHA256

• TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_GCM_SHA384

If you want to keep using Barion after May 31, 2023, ensure that your system uses the appropriate TLS 1.2 protocols (or switch to TLS 1.3). If your server is running on Windows, you may find more detailed information here and here.