Important Change Information for Westpac Quickstream TLS Changes

As part of our initiative to conform to the new requirements issued by the Payment Card Industry Security Standard Council and cyber security best practice, we will be making changes to our web services that use TLS.

What is happening?

Starting in September 2024, we will begin enabling TLSv1.3 and disabling CBC ciphers which are now considered insecure, please see below the schedule for disablement. This approach will prevent any TLS connections that use only CBC ciphers from connection to access Qvalent/Westpac services as per our obligations for PCI compliance.

Why is this happening?

At Qvalent we treat the protection of our customers' data very seriously. Sometimes we need to make security improvements and retire older encryption protocols. This allows us to maintain the highest security standards and promote the safety of your data.

To maintain alignment with these best practices and to maintain industry standards such as PCI-DSS and Gateway Network Goverance Body, Qvalent will disable the use of CBC ciphers across TLSv1.2 and TLSv1.3 for connections to Qvalent/Westpac services.

What TLSv1.2 and TLSv1.3 ciphers will we support after the cutover date?

TLSv1.3

TLS_AES_256_GCM_SHA384 (0x1302)

TLS_CHACHA20_POLY1305_SHA256 (0x1303)

TLS_AES_128_GCM_SHA256 (0x1301)

TLSv1.2

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

ALL QVALENT TEST ENVIRONMENTS HAVE CBC CIPHERS DISABLED AND TLSv1.3 ENABLED

How do I know if we are ready for this change?

After Quickstream disables the CBC ciphers and enabled TLS v1.3, any connection to Qvalent/Westpac services must support the above ciphers.

This change also impacts access to Westpac web sites and products such as:

Westpac Quickstream (including QuickWeb, QuickConnect, QuickVault, QuickView, QuickTerminal, QuickGateway, REST etc.)
Westpac PayWay (including PayWay Net, API, Virtual Terminal etc.)
Westpac iLink
Westpac QuickSuper
Westpac Payments Plus
Westpac Invoice Finance

There two are different channels that need encryption to access Qvalent/Westpac services. These channels are:

Internet Browser
API integrations

An overview of each are below:

Internet Browsers

When using most browsers, you will not have trouble accessing Qvalent/Westpac services. But you may have trouble if:

You are not using a modern supported browser.
Your browser has disabled the supported encryption protocols

To quickly test your browser compatibility, you can visit our test page, which has the new TLS settings implemented.

If you are able to view the site without errors, access to services via your browser should not be impacted by this change. If you receive an error please speak with your IT department.,

API Integrations

After Quickstream disables CBC ciphers, any connection to Qvalent/Westpac services must use the above listed versions of TLS and Ciphers.

API integrations are interfaces to Qvalent and Westpac services that are separate from, but use Qvalent and Westpac data.

Examples of API integrations are:

Secure token request for QuickWeb, QuickConnect, QuickVault, and PayWay Net.
API requests for QuickGateway, QuickVault, PayWay API, REST API or iLink HTTPS/SOAP

If you have implemented any of these features, make sure you have enabled the TLS v1.2 encryption protocol.

To test the compatibility of an API integration to communicates with a Qvalent/Westpac service:

PayWay

Point your test environment to connect to the PayWay. You may have implemented
- PayWay Net with a secure token request, or
- PayWay API
Perform a secure token request or API request using the TEST merchant.
- If you do not receive an error message that resembles the error message below, then the underlying TLS connection was successful and your integration works with TLS v1.2.
- If you instead see an error message that resembles the error message below, then the test has failed. Your systems need adjustments or upgrades to properly with these services, when we deactivate TLS v1.0 and v1.1.
```
HTTP 403 error, TLSv1 is not strong encryption, please use TLSv1.2 instead
```

Quickstream

Re-instate your test environment to connect to the Qvalent/Westpac service test environment. You may have implemented
- a QuickWeb/QuickConnect/QuickVault with a secure token request, or
- a QuickGateway
Perform a secure token request or API request to the test environment.
- If you do not receive an error message that resembles the error message below, then the underlying TLS connection was successful and your integration works with TLS v1.2.
- If you instead see an error message that resembles the error message below, then the test has failed. Your systems need adjustments or upgrades to properly with these services, when we deactivate TLS v1.0 and v1.1.
```
HTTP 403 error, TLSv1 is not strong encryption, please use TLSv1.2 instead
```

iLink HTTP File Transfers / Superannuation Messages

Re-instate your test environment to connect to the Qvalent/Westpac service test environment. You may have implemented
- a HTTPS file transfer or
- a QuickSuper gateway message
Perform a HTTPS post to the test environment.
- If you do not receive an error message that resembles the error message below, then the underlying TLS connection was successful and your integration works with TLS v1.2.
- If you instead see an error message that resembles the error message below, then the test has failed. Your systems need adjustments or upgrades to properly with these services, when we deactivate TLS v1.0 and v1.1.
```
HTTP 403 error, TLSv1 is not strong encryption, please use TLSv1.2 instead
```

When will Qvalent/Westpac disable CBC ciphers and enable TLSv1.3 in Production?

We plan to disable CBC ciphers and enable TLSv1.3 encryption according to the following schedule:

What is SFTP?

SSH File Transfer Protocol (SFTP) is a secure file transfer protocol. Connections made using SFTP use SSH to provide secure transport for your files with Westpac.

Why is Westpac Changing Its SFTP Server Cryptography Standards?

The Payment Card Industry Security Standard Council has deemed that the above cryptography standards (SHA1 and CBC) are no longer secure for SFTP servers and hence Westpac is changing its offered cryptography in line with these standards.

When will this change take place?

The change is scheduled for the following dates:

Test/Support over the Internet: ssiw.support.qvalent.com/203.39.159.31 – Change in Place as of 27th May 2024
Production over the Internet: ssiw.qvalent.com/192.170.86.151 - Tuesday 20th Aug 2024 @ 10:00am AEST

We encourage you to perform UAT testing in the Test/Support environment as soon as possible to ensure your SFTP client is compatible with the cryptography options available in this environment.

What must I do?

Read this detailed change advice, and escalate to your technical team for review.
Identify all SFTP client instances that interact with the SFTP server and take action to prepare for this change in advance. Note that older SFTP client software may not support may not support SHA2(256) for MACing (as an example). You will need to check with your provider.
Ensure all SFTP client(s) do not exclusively rely on either of the following by consulting with SFTP client vendor documentation and/or technical support:
1. All SHA1 hashing for Key Exchange
2. All CBC Ciphers
Are any keys changing? No keys are changing. Your SFTP client needs to support the above cryptography.
Use the iLink SFTP (Qvalent) Test/Support Environment to perform UAT testing to confirm no compatibility issues between your SFTP client and our hardened service offering.
Resolve any issues by upgrading any required SFTP clients to support the latest industry-grade cryptography standards and perform UAT testing against our Test/Support environment.
Promote all changes to your Production environment before the Production change deadline.
Understand and be prepared to instigate your iLink BCP solution in the event of any issues post-change. This includes how to manually transfer files from your finance applications into/from iLink in the event of an SFTP client connection failure.

Common Issues

If the change preparation has not been successfully applied, an SFTP connection to the WIBS SFTP server will not be successful without manual administrative user intervention.
This may appear as any of the following errors depending on your SFTP client software/application

Login Failure
SSH/SFTP Handshake Failure
File Delivery Failure

If this error occurs you should perform the following

Confirm you are using fully updated SFTP client software which supports the latest cryptographic standards
Confirm that when using this software there is no connectivity issues between your UAT environment and our Test/Support environment
Confirm all changes required have been promoted to your Production SFTP client environments.

Frequently Asked Questions

Do I need to send through a new Connectivity Change Request?

There is no requirement to send through a Connectivity Change Request in iLink for customers to take action on this change. This change should only affect the SFTP client software and not the network path.

Do I need to change my SSH or PGP keypairs for this change?

This change does not affect your SSH or PGP keypairs and there is no requirement for them to change as a part of this change.

Qvalent pushes files to our SFTP server. Do I need to change my SFTP server?

This change does not affect the pushing of files to the customer SFTP server.
Customers should ensure their SFTP servers are up to date with all security patches and use industry best-practice cryptography.
This change does however affect your SFTP client software for any files that you send to the Qvalent SFTP server hosts mentioned in the change notification using your SFTP client.

How do I evaluate whether my SFTP client software contains cryptography which is compatible with the changes Westpac is making?

Westpac advises customers to perform a full UAT test against our Test/Support environment to confirm this change will not cause any issues for your integrations.

What if my SFTP connection breaks?

Customers will be required to use iLink as a BCP option for the delivery of their files between your financial systems and Westpac
This will be communicated by our helpdesk to customers who are having issues with their connectivity. Our helpdesk will be on hand to assist customers who have issues instigating iLink BCP as a priority.
Westpac will be unable to roll this change back

Can I be granted an extension for this change?

No, extensions cannot be granted for this change.
As this change affects the cryptography offered to all customers via our SFTP server service, all customers must be prepared for this change simultaneously for this change to occur.
If you are not ready for this change, you may need to prepare to change your SFTP client software or prepare to instigate iLink BCP and how it will need to interact with your financial systems.

Will there be a way to continue using the old cryptographic standards

No, the above-mentioned cryptographic functions will be disabled. There will be no way to reinstate these functions.

My iLink SFTP solution does not involve credit card data and therefore is not subject to PCI-DSS. Does this change still apply to me?

Yes, this change will apply to all SFTP customers that connect to the Westpac (Qvalent) SFTP servers.

Contact Us

Email wibs_support@qvalent.com or phone the Helpdesk team on 1300 726 370 between 7:00am and 7:00pm (AEST), Monday to Friday.

Disclaimer

These guidelines are general in nature and have been prepared without knowledge of the specific environment in which your systems operate. These guidelines are current at the time of writing, but may require update over time. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.