TLS & Security
The LOKE Platform processes payments and must adhere to the standards set by the Payment Card Industry (PCI). Clients connecting to our APIs are required to maintain a TLS client that is capable of negotiating a connection using those standards.
Minimum Requirements
At the time of writing, this means:
- TLS v1.2 or higher must be used to establish the connection.
- The connection must negotiate a cipher suite that meets the current PCI minimum requirements.
Earlier versions of TLS (1.0, 1.1) and SSL are not supported and connections attempting to use them will be rejected.
In practice, connecting from an actively maintained operating system with an up-to-date TLS library is generally sufficient to satisfy these requirements without any special configuration.
Integrator Responsibilities
Integrators should review the current PCI guidance to ensure their client implementations remain compliant:
We review the cipher suites permitted on our platform annually in line with the best-practice recommendations published by NIST:
As these recommendations evolve, the set of cipher suites accepted by our servers will be updated to match. Clients that cannot negotiate one of the currently permitted suites will be unable to connect.
Operating System Support
We do not actively support operating systems that are no longer maintained by their provider. Continuing to use an end-of-life operating system carries a real risk of suddenly being unable to connect to our APIs once the set of permitted cipher suites is updated to reflect current best practice.
We strongly recommend running integrations on an operating system that continues to receive security updates from its vendor, and keeping any TLS libraries (OpenSSL, Schannel, BoringSSL, etc.) current.
If you are running an operating system that you believe is patched and up to date and should support modern TLS standards, but you are still unable to connect, please contact us so we can help debug the issue.
Why We Cannot Make Exceptions
In order to ensure the security of all of our customers, we are required to maintain these standards across our platform. We cannot weaken the overall security posture of our APIs and servers to accommodate an individual client that is unable to meet the current requirements.
If you are unsure whether your client will be able to connect, please reach out to your partnership or project manager before going live.