DigiCert and Entrust Certificates (Moneris Gateway and IP Gate) Moneris will be updating its internet communication security certificates on the Moneris Gateway effective March 13, 2018, and IP Gate effective April 9, 2018. This is a regular practice that is mandated every few years and will not impact the majority of our merchants if they regularly update certificates. Moneris will be changing from a Verisign certificate to a DigiCert certificate. Businesses that have not updated their digital certificate or have ‘hard coded’ the existing Verisign certificate could face issues processing payments. As a business that uses the Moneris Gateway for your eCommerce, mail order and telephone order business, and IPGate for your integrated in-store solution, we are asking that you verify your ‘certificate store’ or ‘trust store’ contains the most up-to-date security certificates – specifically those from Verisign, DigiCert and Entrust – by testing your connection in the QA environments below. Businesses that already have Verisign, DigiCert and Entrust root certificates stored will not be impacted. What you need to do: Please test your secure connection in the QA environment using the URLs below. If there are no issues, this means your business is prepared for the digital certificate update and no further action is required. If you are unable to connect in the QA environment, please download the packages below to your certificate store or trust store. Web developers who have ‘hard coded’ our current Verisign certificate will need to manually add the new certificates to their code environment. QA and Production URLs Integrated and eCommerce merchants can test their secure connection at: ipgt1.moneris.comipgt2.moneris.com ipgtpr1.moneris.com ipgtpr2.moneris.com sslqa.moneris.com ssltestpr.moneris.com Active production URLs at: ipg1.moneris.com ipg2.moneris.com ipgpr1.moneris.com ipgpr2.moneris.com DigiCert The complete DigiCert certificate package can be found at: https://knowledge.symantec.com/support/mpki-for-ssl-support/index?page=content&id=INFO4655 Entrust The complete Entrust root certificate package can be found at: https://www.entrustdatacard.com/pages/root-certificates-download Who to contact: To minimize potential service impacts, we encourage merchants to consult the appropriate support teams, including: Your internal IT department (network, security, systems administrator, etc.) The company that is hosting your solution The company that did the network setup for your website/system Businesses without Verisign, DigiCert and Entrust certificates installed may experience issues processing transactions beginning on March 13, 2018. Data Security Update In accordance with the National Institute of Standards and Technology, data transport encryption standards have been updated to new industry-wide standards for acceptable protection of data. Moneris will be migrating to Transport Layer Security (“TLS”) and Secure Hash Algorithm (“SHA”). TLS is a protocol used to encrypt the data between your payment gateway connection point and Moneris to ensure the security of data and SHA is a hashing algorithm used to sign digital certificates. For more information on SHA or TLS please refer to the National Institute of Standards and Technology articles at: http://www.nist.gov/itl/csd/tls-043014.cfm & http://csrc.nist.gov/groups/ST/hash/policy.html November 2015 Interac Mandates EMV Acceptance Notice: Effective December 31, 2015, Interac has mandated all point of sale (POS) solutions accepting Interac Debit in Canada must be EMV chip and PIN enabled. If your current POS device does not comply with this mandate, please contact Moneris at 1-866-319-7450 for assistance. Failure to comply by the December deadline may impact your ability to accept Interac Debit until an upgrade is performed. Thank you. Need to know the latest fraud trends? Keeping abreast of new or reoccurring scams can significantly reduce or prevent losses at your place of business. Moneris Solutions is committed to keeping you informed / updated on these trends as they occur. Be sure to check this section regularly. Bash "Shellshock" Bug In light of the recent media exposure regarding the Bash “Shellshock” bug, Moneris would like to assure our merchants that their customers’ data has not been compromised on our systems as a result of this issue. Our information security team has applied all currently released security patches for all versions of Bash. We will continue to monitor our systems and apply the release of new security patches on an ongoing basis to prevent any impact to our payment infrastructure. OpenSSL “Heartbleed bug” (CVE-2014-0160) In light of the recent media exposure regarding the OpenSSL "Heartbleed bug" (CVE-2014-0160), Moneris would like to assure our customers that we have investigated and determined that our current payment infrastructure is not vulnerable to this form of attack. Your customers’ data has not been compromised on our systems as a result of this issue. Moneris’ PCI compliant network is operating on an OpenSSL version that is not vulnerable to the "Heartbleed" security issue. Phishing alerts October 2013 We have recently discovered that some of our customers are receiving fraudulent "phishing" emails, attempting to collect Moneris account credentials and prompting customers to install fraudulent files into their systems. These emails may have some of the following characteristics: They may come from a fictitious email address, such as firstname.lastname@example.org They provide false information, advising customers that their Moneris Virtual Terminal SSL certificate has expired. A website link is provided and customers are asked to update their digital certificate by clicking on the link. Once the link has been opened, customers are asked to install a file that is fraudulent. This link will take customers to a web page which looks like a Moneris service page, such as the Merchant Direct Login or e-Select plus login pages. If you have received one of these phishing emails, please follow these steps: Please delete the email immediately, do not click the link or enter any Moneris Login credentials. Please do not install any of the attached files. If the link has been accessed and the file downloaded, please follow these important steps: Login to your Moneris Account and change your password For Merchant Direct customers, please go to: https://www.moneris.com/mymerchantdirect For Moneris Gateway customers, please go to: https://www3.moneris.com/mpg/index.php Refer to your IT department to scan your system for any new viruses on your system Run your antivirus application If the link has not been accessed, please delete the email immediately. What is “phishing”? Phishing is a type of fraud that uses email, web pages and text messages to gather personal, financial and sensitive information for the purpose of identity theft. Most commonly, users receive spam email, text messages and pop-up windows that appear to come from legitimate businesses asking the recipient to confirm or provide personal information such as passwords, social insurance, credit card and account numbers. How can you protect your business from online threats like phishing? Be aware of the potential risks and educate yourself and your staff on how to handle them. Question the source of all email messages you receive, and call us to confirm the source of any email messages or other communications if you have any concerns. Build into your regular routine time to evaluate and update your security procedures. We provide information to assist you with here. Moneris Solutions does not ask its merchants to provide, confirm or update their records via email. We will not send emails from a third party address or link to a third party site. We are committed to keeping you informed of latest fraud trends and protecting your business. If you have any additional concerns, contact us at 1-866-319-7450.