TLS/SSL frequently asked questions
At Amazon, we always believe in giving you many secure choices to communicate with us. We are now offering a default Transport Layer Security (TLS) 1.2 connection, which can downgrade to TLS 1.1 or 1.0 as necessary.
What are the Secure Sockets Layer (SSL) and Transport Security Layer (TLS) protocols?
SSL and TLS are widely used protocols designed to transport data securely between a client and a server. The use of SSL during the 1990s enabled the beginning of secure commerce on the Internet. Its successor protocol, TLS, continues to be used by web browsers and servers to protect the privacy of Web communications. When a URL address contains HTTPS, the 'S' stands for secure, and indicates that data is being transmitted securely using one of these protocols.
Where is TLS used by Amazon Pay?
TLS is used by Amazon Pay to secure the following information in transit:
- Buyers’ Personally Identifiable Information (PII)
- Cardholder data
- Communications from merchants’ servers to Amazon Payments’ API endpoints
- Instant Payment Notifications (IPN) sent to merchants’ endpoints
If you are using Amazon Pay and would like to know more about how this service makes use of SSL/TLS, please see this section of our documentation.
What SSL/TLS versions does Amazon Pay support?
Currently supported TLS versions are 1.0, 1.1, and 1.2. Amazon Pay removed support for SSL in 2015.
How can I test whether my Amazon Pay integration supports TLS 1.2?
There are two communications channels to consider when determining whether your Amazon Pay integration supports TLS 1.2:
- The API requests from your server(s) to the Amazon Pay endpoints.
The following are technologies commonly used for Amazon Pay integrations that are known to support TLS 1.2:
- .NET — .NET 4.6 uses TLS 1.2 automatically. .NET 4.5 can be configured to use TLS 1.2. .NET 3 and below does not support TLS 1.2.
- Java — Java 6 does not support TLS 1.2 natively, but support for TLS 1.2 in Java 6 is provided by third parties. Java 7 supports TLS 1.2, but does not enable its use by default for clients. TLS 1.2 is enabled by default beginning in Java 8.
- OpenSSL (PHP, Ruby, Python) — Most dynamic languages such as Ruby, PHP, and Python rely on the underlying operating system's OpenSSL version. You can check it by running the command ‘openssl version’. 1.0.1 is the minimum required.
- The payment notifications sent from Amazon Pay’s server(s) to your endpoint.
To confirm that your server accepts payment notifications using TLS 1.2, online tools such as Qualys SSL Labs provide an easy method to determine TLS protocol compatibility and best practices for your site.
If you are using Amazon Pay you can also use our IPN Testing Tool inside Seller Central to verify that payment notifications can be successfully sent to your server.
Please contact us if you have any questions or need more information.