PCI Mandate

The Payment Card Industry (“PCI”) counsel, as well as Visa and MasterCard, have issued a mandate that all merchants and service providers configure their systems in a manner to ensure secure connections between relevant systems.


In support of this PCI mandate, Sabre will disable the ability to connect to the Sabre APIs using encryption protocol SSLv3.0, and all versions of Transport Layer Security (TLS) prior to version 1.2.  In addition, Sabre will no longer support communication with Ciphers using keys with less than 128 bits.


These changes apply to all Customers using HTTPS connections to any of the Sabre API URLs. The table below identifies the recommended Encryption protocols and Ciphers that should be utilized.  Once the changes are implemented, any communication that cannot negotiate to TLS v1.2 or is using an unsupported Cipher will be rejected.  Customers should work with their IT organizations to determine what actions are required to comply with this industry mandate, including applications and systems beyond those connecting to Sabre.  

 

Supported Encryption Protocols

TLSv1.2 and higher

 

Supported Cypher

Strong ciphers with key lengths >= 128 bits must be used

Unsupported Encryption Protocols

Secure Sockets Layer (SSL) versions 1.0, 2.0,and 3.0

Transport Layer Security (TLS) versions 1.0 and 1.1

Unsupported Cypher

MD5, RC4, DES, EXPORT, aNULL and eNULL

Sabre API Test URL Endpoints

SOAP APIs
REST APIs

SSL to TLS Migration

Migration Guide
PCI Mandate FAQ

Industry mandate references

PCI Council
Visa
United States Computer Emergency Readiness Team

Docs Navigation