TLS and Certificates


I'm developing an application in VB.NET and have a requirement to communicate with a payment processor via TLS. I'm reading over technical articles on TLS. The articles suggest that an X.509 certificate is used when communicating.

Is a certificate required when implementing .Net SSL classes?

Thank You.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian MurphyIT ArchitectCommented:

Signature and authentication being two distinct differences.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HoweSoftware and Hardware EngineerCommented:
Normally the X509 certificate is at the payment processor end - unless there is a requirement for a client cert (which often the PP will issue to you) you merely need to verify the certificate and negotiate an encrypted link using it - both of which normally System.Net.Security.SSLStream will take care of for you.

note, if the PP's API is basically HTTPS (RESTful apis being a good example) then you can use the easier System.Net.WebRequest to handle the HTTPS for you too
John Gates, CISSPSecurity ProfessionalCommented:
And you will want TLS 1.2 for PCIDSS compliance.  I write applications that process credit cards and can tell you to make sure that credit card information is encrypted through the transaction lifecycle.  From the time someone types a credit card in until the time you present it to the processor and get a response.  If you can I would also suggest not holding any PII locally.  If you need to store cardholder information in your database insure it is encrypted.

Hope this helps!
Dave HoweSoftware and Hardware EngineerCommented:
TLS 1.2 is more a server-side thing (again) though, John - the dotnet libraries will support TLS 1.2 provided the server does. Ideally, the PP should be 1.2 only by now, so the question is moot - either the client library can negotiate a TLS 1.2 connection, or it will fail to set up at all.
John Gates, CISSPSecurity ProfessionalCommented:
You would be surprised how many payment gateways will still allow a 1.1 connection. And the .NET libraries can be set to not allow lower trasport layer security. The rest of my statement holds true and I believe provides the asker valid useful information that will help them in the long run.  

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.