Release Notes

These release notes cover all releases to the production server for the week ending

April 10, 2026

.

Announcements

These announcements are for

April 10, 2026

.

TLS Updates

We are making changes to our implementation of Transport Layer Security (TLS).

TLS 1.3

To maintain the highest security standards for both browser-based and server-to-server connections, we will enable TLS 1.3 on the endpoints listed below. This enhancement is optional and will supplement the existing TLS 1.2 support, which will remain in place.

We will make changes to these endpoints on these dates:

Testing environment
: May 26, 2026

ics2wstesta.ic3.com

ics2wstest.ic3.com

apitest.cybersource.com

Production environment
: June 2, 2026

ics2wsa.ic3.com

ics2ws.ic3.com

api.cybersource.com

api.in.cybersource.com

ics2ws.in.ic3.com

Contact Customer Support if you have any questions about these changes.

TLS Certificate Lifetime Reduction

In alignment with new CA/Browser Forum regulations, the maximum TLS certificate lifetime will be reduced gradually as follows:

• Currently, the maximum lifetime for a TLS certificate is 200 days.

• Beginning March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.

• Beginning March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

See this blog for more information about the TLS certificate lifetime changes:

tls-certificate-lifetimes-will-officially-reduce-to-47-days

How will this change impact connectivity?

Server-level (leaf) SSL/TLS certificates will remain valid until their scheduled expiration. Server-level (leaf) TLS certificates have shorter lifespans and must be reissued more frequently. We therefore recommend that clients trust the root certificate instead.

What is our recommendation?

We continue to recommend trusting the Root TLS certificates for all secure endpoints. This approach removes the need for periodic renewal of server level certificates and helps prevent connection failures caused by expired leaf certificates.

How can I tell which TLS certificate I am using?

Contact your server administrator or your network support team.

Where can I find the TLS Root certificate?

Continue trusting the root certificate to maintain connectivity with supported endpoints. You can download the root certificate from this article:

?code=KA-09802

Contact your Customer Support representatives with any questions.

Webhooks Updates

Webhooks version 1 will be decommissioned by the end of the year 2026. See Webhooks version 2 in the Developer Center.

Smart Auth Retirement

Smart Auth, also known as SuperAuth, is being discontinued. This product was often included in the "Essentials" package of products for small merchants.

Support for Smart Auth is being discontinued in phases. The final end of life occurs October 5, 2026.

Merchants currently using Smart Auth will receive a 90-day product sunset notification.

Merchants interested in a similar product can use Fraud Management Essentials (FME). FME is an actively supported service that offers improved fraud protection capabilities and system reliability.

Message-Level Encryption Upcoming Mandate

An updated version of message-level encryption (MLE) will become mandatory in order for merchants to use the APIs. Portfolio owners must enable this updated version of MLE for their merchants by September 2026
.

This required MLE update encrypts all data in your API response messages. The previous version of MLE encrypted only request messages. If your merchants are already using custom JSON Web Token messaging, they must also update how their system constructs JWTs. Merchants who are using HTTP signature messaging must migrate their system to JWT messaging.

You risk transaction failures if you do not implement this MLE update.

Overview of MLE

MLE is a robust security protocol designed to encrypt individual messages or payloads at the application layer. By protecting sensitive data at the message level, MLE ensures that your information remains secure as it moves through systems and networks, providing a layer of security beyond traditional transport encryption.

Enabling MLE requires you to create a REST API key for request messages and a REST – API Response MLE
key for response messages. If your organization is using a meta key, the portfolio account or merchant account user who created the meta key must also create the REST – API Response MLE key.

Update Methods: Create or update your custom MLE integration using JWTs with P12 certificates. For more information, see the Enable Message-Level Encryption Enable Message-Level Encryption section in the Getting Started with REST Developer Guide
. For a method using shared secret key pairs, see the HTTP Messaging Migration to JWT Messaging section below.
Update your REST API SDK. For more information, see the REST API related products
section in the Cybersource GitHub.

JSON Web Token Construction Update

There are new requirements for how to construct JSON Web Tokens (JWTs) in order to send API request messages. If you use a custom integration to construct JWTs, you must update your system to remain compliant. This update is necessary to support the new MLE requirements.

Update Methods: Construct JWT Messages Using a
P12 Certificate
Construct JWT Messages Using a
P12 Certificate
in the Getting Started with REST Developer Guide
Construct JWT Messages Using a
Shared Secret Key Pair
Construct JWT Messages Using a
Shared Secret Key Pair
in the Getting Started with REST Developer Guide

HTTP Messaging Migration to JWT Messaging

By September 2026
, all merchants using HTTP signature messaging must migrate to JWT messaging in order to support MLE. Merchants already using HTTP signature messaging with shared secret key pairs can now continue using their existing keys with JWT messaging.

Update Method: Construct JWT Messages Using a
Shared Secret Key Pair
Construct JWT Messages Using a
Shared Secret Key Pair
in the Getting Started with REST Developer Guide

Bluefin P2PE Decryption: PCI P2PE Support Ending for PTS 3.X Terminals

Bluefin announced that their support for PCI P2PE on PTS 3.X payment terminals will end on April 30, 2026
. After this date, these devices will no longer be supported or listed as part of Bluefin’s validated PCI P2PE solution.

Bluefin has notified clients about the device support status. Customers still using PTS 3.X devices should transition to supported alternatives to remain compliant. For replacement and integration guidance, see the Guidance on Expiring Bluefin P2PE PTS Devices document.

Features Introduced This Week

No customer-facing features were released this week.

Fixed Issues

No customer-facing fixes were released this week.

Known Issues

Payments
| EPS-37033

Description: Merchants who process through Visa Platform Connect in the Asia-Pacific region might see duplicate settlements for transactions when the "allow multiple bills" feature is enabled, and the "allow bills greater than authorizations" feature is disabled.
Audience: Merchants who process through Visa Platform Connect in the Asia-Pacific region.
Technical Details: None.
Workaround: None.