Google Chrome and Mozilla Firefox will stop trusting Symantec-issued SSL/TLS certificates. To mitigate this, the following URLs will have the SSL/TLS certificates replaced with EnTrust certificates:

pnpnet.qvalent.com
pnpnet.support.qvalent.com
www.payway.com.au
api.payway.com.au

Important Change Information for Qvalent/Westpac Customers

This page contains advice which must be actioned to ensure no loss of banking service with the Quickstream and PayWay Qvalent/Westpac products

Who might this change affect?

Any customer application which:

Connects to any of the following URLs hosted by Qvalent used by our Quickstream and/or PayWay products AND
Does not already have the relevant Entrust certificate authorities added to the application's SSL/TLS trust store.

Quickstream	PayWay
pnpnet.qvalent.com (Production Environment)	www.payway.com.au (Production Environment)
pnpnet.support.qvalent.com (Test Environment)	api.payway.com.au (Production Environment)

Why is Qvalent/Westpac making this change?

Mozilla and Google will begin removing trust for all SSL/TLS certificates issued by Verisign/Symantec Roots in September 2018 in new releases of their Internet browser applications. Whilst other vendors and applications may not be proceeding with this action, due to the use of these hosts by browsers from these vendors, we must proceed with this change before this deadline to ensure maximum compatibility with these services.

Qvalent has made the decision to move to Entrust as our new provider of SSL/TLS certificates for theses hosts. This means changing the structure of the certificates on these hosts which may result in distrust by applications.

When will this change be made?

Qvalent plans to make the certificate changes at the following dates/times:

URL	Date and Time
pnpnet.support.qvalent.com (Test/Support Environment)	Monday May 14 @ 10:00am AEST
pnpnet.qvalent.com (Production Environment)	Tuesday August 7 @ 10:00am AEST
api.payway.com.au (Production Environment)	Monday August 13 @ 10:00am AEST
www.payway.com.au (Production Environment)	Monday August 13 @ 10:00am AEST

Customers however can take action now to prepare for these changes.

What certificates are being changed?

Qvalent will begin to issue server certificates for the above hosts from the following Root and Intermediate Certificates

Root Certificate

Common Name (CN)	Entrust Root Certification Authority - G2
Valid Until	8/12/2030
Thumbprint	8c f4 27 fd 79 0c 3a d1 66 06 8d e8 1e 57 ef bb 93 22 72 d4
Available from Entrust at	https://entrust.com/root-certificates/entrust_g2_ca.cer

Intermediate Certificate

Common Name (CN)	Entrust Certification Authority - L1K
Issued By	Entrust Root Certification Authority - G2
Valid Until	6/12/2030
Thumbprint	f2 1c 12 f4 6c db 6b 2e 16 f0 9f 94 19 cd ff 32 84 37 b2 d7
Available from Entrust at	https://entrust.com/root-certificates/entrust_l1k.cer

How does this change affect my application?

When your application connects to one of the above hosts, it requests it validates the certificate issued to these hosts comes from a trusted certificate authority.

If you do not have the new Entrust root certificate authority hosts in your repository, then your application will not trust the Qvalent host.

If this happens, your application will not connect to our web service, which will result in a loss of banking service.

What must I do?

Step	To Do
1	Read this detailed change advice and ensure it reaches all application owners which connect to Qvalent services to investigate the impact of this change.
2	Identify all applications which interact with these hosts and take action to prepare for this change immediately.
3	Validate preparedness of applications and systems for this change by ensuring all systems have the Entrust Root CA in their application’s trust store. This procedure varies depending on your application technology. Please refer to the Further Information page for further detailed information regarding this change - Further Information Regarding Qvalent/Westpac Entrust SSL/TLS Certificate Change
4	Take immediate action to add the Entrust Root CA to your application's trust store if it is not present. This procedure varies depending on your application technology. For Quickstream customers using pnpnet.qvalent.com, Perform UAT testing against our test environment pnpnet.support.qvalent.com to ensure these changes are appropriate for your application and ensure changes are promoted to Production environments
5	Understand and be prepared to instigate business BCP processes in the event of any issues post change to ensure banking services continue with this loss of service
6	Understand and be prepared to gather application developer and systems administrator resources in the event of any issues post change.

Further Information

Further Information regarding this change can be found at Further Information Regarding Qvalent/Westpac Entrust SSL/TLS Certificate Change.

Contact Us

For Quickstream Customers using pnpnet.qvalent.com or pnpnet.support.qvalent.com

Email quickstream@qvalent.com or phone the Quickstream helpdesk team on 1300 726 370 between 7:00am to 7:00pm (AEST), Monday to Friday.

For PayWay Customers using www.payway.com.au or api.payway.com.au

Email payway@qvalent.com or phone the Payway Helpdesk team on 1300 727 111 between 8.30am to 5.30pm (AEST), Monday to Friday.

Disclaimer

These guidelines are general in nature and have been prepared without knowledge of the specific environment in which your systems operate. These guidelines are current at the time of writing, but may require update over time. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.