AccountEdge Knowledge Base
  • Section: Merchant Services
  • Last updated: Aug. 29, 2019, 1:03 p.m.

SSLv3 and POODLE Security Credit Card Processing

AccountEdge Credit Card Processing and SSL

It has been reported that there is a vulnerability using SSLv3 for secure browsing and online communications.  When using a browser or when two applications or servers speak to each-other securely over the internet, they do this on a secure socket using encryption methods like SSL or TLS.  These methods encrypt messages being sent between your browser (or an embedded browser within an application like AccountEdge) or between an application and a server.
To learn more about the vulnerability and what SSL is, this article from Forbes does a nice job laying out it.
http://www.forbes.com/sites/jameslyne/2014/10/15/poodle-security-vulnerability-breaks-sslv3-secure-browsing/

Due to this new vulnerability that has been reported, Forte who provides the gateway used for processing your credit card transactions, will be sunsetting the support of the SSLv3 method of creating a secure connection to their servers.  A more up to date method will used for creating these connections which is called TLS.

When AccountEdge processes credit card transactions we do so in two ways.  First, whenever you are entering a credit card number to process a transaction (or to store it on Forte's secure servers for future use) we do so on Forte's securely hosted form.  We display this web page/form to the user using a browser window that is essentially embedded within AccountEdge (we don't launch your browser). We are working on ensuring that the browser technology that we use when displaying these forms is up to date to support the latest TLS methods. We will update this FAQ with new information shortly once we are satisfied this technology is using the latest methods.

AccountEdge also processes transactions without opening a browser window.  When entering a credit card number within AccountEdge, you have the option to store that number for future use.  The credit card number isn't stored in your accounting software but instead a token that represents the card is stored. The card itself is stored on Forte's secure servers.  At the time you process a transaction with one of these stored tokens, we open a secure connection to Forte's gateway to process that transaction.  We are currently reviewing the methods used in AccountEdge to ensure that we are using TLS to create a secure connection instead of SSLv3 which is being sunset.

It is recommended that you ensure that you are using up to date and supported versions of your browsers and operating systems.  As reminder, Windows XP and Internet Explorer 6 are no longer supported by Microsoft and has known vulnerabilities.  It is recommended that customers upgrade to at least Internet Explorer v8 or later and upgrading to Windows 7 or later.  Even if IE is not your preferred browser, we recommend that IE 8 or later is installed.