To maintain a highly secure and stable platform we will be removing support for 2 outdated ciphers at 10am on Tuesday 30 September 2025.
Due to known vulnerabilities, ciphers TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 are classified as weak and need to be removed.
This notice is only relevant to services who integrate with Pay’s public API. These ciphers are long outdated so we are confident the majority of our services will be unaffected by this change.
We temporarily removed support of these ciphers on 12 June 2025 for a period of 23 hours. This exposed some use of these ciphers and the 2 systems affected were unable to take payments during this period. We have contacted them directly.
It is possible that some lower volume services (that do not take payments every day), or those with infrequent automated reporting jobs using our API may still use these ciphers.
Where possible, or if in doubt, please try to consult a technical engineer to rule out your use or plan work to move away from them over the next 3 months. If you are unsure and haven’t been able to confirm internally please email govuk-pay-support@digital.cabinet-office.gov.uk and we will try our best to help.
This will be a permanent change and we will not be able to provide extensions to use these ciphers after September 2025.