PCI Mandate

Important! As part of implementing the TLS 1.2 PCI Mandate, the schedule for disabling non-compliant security protocols in all environments has been completed. Please take note of the following scheduled changes.

  • Beginning April 4, all Sabre non-production environments will refuse SSL connections which are not compliant with the TLS PCI Mandate (SSLv2, SSLv3, TLSv1.0, TLSv1.1).  The changes will occur on April 4 between 19:00 CDT and 05:00 CDT and complete on the next evening April 5 during the same time period.

  • Two test runs will be conducted in the production environment to allow both Sabre and our customers to catalog and remediate any unforeseen effects before the final change on June 18, 2018. During each test run on the dates listed below, Sabre APIs (Sabre Web Services) will stop accepting non-compliant connections (that is, SSLv2, SSLv3, TLSv1.0, TLSv1.1).  Any products not upgraded to compliant versions (as defined in previous communications) will stop working as well as any custom applications not using TLS1.2 to connect to Sabre APIs.  Non-compliant connections will be restored at the end of each test run.
    • Test Run 1:  June 9, 2018 from 10:00 CDT to 11:00 CDT / 16:00 BST to 17:00 BST / 23:00 SGT to 00:00 SGT
    • Test Run 2:  June 9, 2018 from 21:00 CDT to 22:00 CDT (June 10, 2018 from 3:00 BST to 4:00 BST / 10:00 SGT to 11:00 SGT)

  • The final change in the production environment for non-compliant SSL connections is scheduled for June 18, 2018 at 19:00 CDT

  • Be reminded that Sabre is in the process of discontinuing access to legacy URLs used to connect to the Sabre APIs in TSTS, CERT and PROD environments. The sunset date is June 30, 2018 at 19:00 CDT. Traffic to Sabre through legacy URLs will no longer be supported past the deadline, to ensure your applications are not affected, please migrate to the our latest endpoints. Please refer to the following pages for details on the specific endpoints being sunset: API Versioning


These changes apply to all Customers using HTTPS connections to any of the Sabre API URLs. The table below identifies the recommended Encryption protocols and Ciphers that should be utilized.  Once the changes are implemented, any communication that cannot negotiate to TLS v1.2 or is using an unsupported Cipher will be rejected.  Customers should work with their IT organizations to determine what actions are required to comply with this industry mandate, including applications and systems beyond those connecting to Sabre.  

 

Supported Encryption Protocols

TLSv1.2 and higher

 

Supported Ciphers

Strong ciphers with key lengths >= 128 bits must be used

Unsupported Encryption Protocols

Secure Sockets Layer (SSL) versions 1.0, 2.0,and 3.0

Transport Layer Security (TLS) versions 1.0 and 1.1

Unsupported Ciphers

MD5, RC4, DES/3DES, EXPORT, aNULL and eNULL

SSL to TLS Migration

Migration Guide
PCI Mandate FAQ-Update April 4, 2018
PCI Mandate FAQ

Industry mandate references

PCI Council
United States Computer Emergency Readiness Team

Docs Navigation