Skip to main content

TLS 1.2 upgrade


Test your connections as soon as possible to avoid service disruptions.

What is TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to provide encryption over a network. You may already be familiar with Secure Sockets Layer (SSL), the predecessor to TLS. When you visit a web page and see 'HTTPS' in the URL, that indicates that the web page is sent over an encrypted connection.

Our REST and SOAP APIs use the same methods of encryption. TLS 1.2 is the latest version of TLS and has been around for ~10 years. It's well supported in web browsers and modern operating systems. TLS 1.2 represents the industry benchmark for encryption and will ensure the highest level of security for your data.

What's changing?

In 2018 (contact your local support team for an exact date) we will begin migrating to TLS 1.2, making it and SFTP the only cryptographic protocols compatible with Experian Data Quality’s hosted products.

This means that connections using SSLv3, TLS 1.0, and TLS 1.1 will no longer be provided for our hosted products, including both websites and API calls. In addition, connections using the RC4 cypher suite will no longer be supported

How does it affect me?

If the system you use to connect to our products is not configured to use TLS 1.2, your integration could stop working. Please contact your local support team for an exact date.

What do I need to do?

We strongly recommend using our test endpoints to determine the compatibility of your system and to allow ample time to plan upgrades, if necessary. 

We recommend testing in an environment as close as possible to your production environment. If you're connecting to one of our SaaS portal websites, we recommend using a modern browser with TLS 1.2 support. The most recent versions of Chrome, Firefox, and Safari are compatible, as well as all versions of Microsoft Edge. Internet Explorer 11 is compatible with Windows 7 and above.

Compatibility diagram

This diagram illustrates which technologies will require only testing, a potential reconfiguration, or major changes to your integration:



Test your product

Any product that connects to Experian Data Quality servers over the internet is affected by this change. This includes hosted products like Capture Application, most of our APIs, all Experian Data Quality and IST websites as well as any on-premise products that connect to our servers like Electronic Updates. 

My integration URL contains:Replace with:
ws.ondemand.qas.com ws.verify.ondemand.qas.com
ws2.ondemand.qas.com ws2.verify.ondemand.qas.com
ws3.ondemand.qas.com ws3.verify.ondemand.qas.com
api.experianmarketingservices.com  api.verify.experianmarketingservices.edq.com
api2.qasemail.qas.com 
us4.api2.qasemail.qas.com
api.leadspend.com us4.api2.qasemail.qas.com
els.experianinteractive.com elstest.experianinteractive.com

These test endpoints may use different SSL certificates than our production endpoints. If your infrastructure requires manually installing SSL certificate chains, we recommend using the SSL Labs Test Tool to show a list of and download the required certificates. Make sure you enter the full domain and sub-domain (e.g. ws.verify.ondemand.qas.com) while testing.

Choose your product to find out more:

Address, Email & Phone Validation

Address Validate REST API
Address Validate SOAP API (previously QAS OnDemand)
Capture Application
Email Automated Batch
Email Validate (Legacy)
Email Validate REST API
Global Intuitive
Phone Validate REST API

CRM integration

EDQ for Demandware
EDQ for Magento
EDQ for MSCRM
EDQ for Salesforce


Other

Electronic Updates
IST Watch / CorrectAddress Web Service
Prospect IQ

Product not listed? Contact support

Address Validate SOAP API

1. Find the API call to Address Validate SOAP in your code. If you’re not sure where this is, search for ondemand.qas.com. Your integration will be pointing to one of the below:

  • UK: ws.ondemand.qas.com 
  • USA: ws2.ondemand.qas.com
  • APAC: ws3.ondemand.qas.com 

2. Replace the domain and sub-domains with ws.verify.ondemand.qas.com. Do not change the rest of the URL.

Note this test domain may have a different IP address based on your geographic location. Make sure that while testing, your system can pass traffic to these IP addresses: 45.60.69.201, 45.60.72.201, 45.60.63.201, 45.60.65.201, 45.60.67.201.

3. Test as appropriate for your integration. If addresses validate normally, the test was successful and your environment supports connecting to our servers using TLS 1.2. If the connection fails, you will need to investigate which parts of your infrastructure are not compatible with TLS 1.2. We recommend that you:

4. Revert to the previously used URL.

Address, Phone and Email REST APIs

1. Find the API call to Address Validate REST, Phone Validate REST, or Email Validate REST in your code. If you’re not sure where this is, searching for api.experianmarketingservices.com.

2. Replace the domain and sub-domains with api.verify.experianmarketingservices.edq.com. Do not change the rest of the URL.

Note this test domain may have a different IP address based on your geographic location. Make sure that while testing, your system can pass traffic to these IP addresses: 45.60.69.201, 45.60.72.201, 45.60.63.201, 45.60.65.201, 45.60.67.201.

3. Test as appropriate for your integration. If the address, phone number, or email validates normally, the test was successful and your environment supports connecting to our servers using TLS 1.2. If the connection fails, you will need to investigate which parts of your infrastructure are not compatible with TLS 1.2.
4. Revert to the previously used URL.

If your integration is written in Java or .NET please check the compatibility diagram

Capture Application

You have to re-install all Capture Application client instances, replacing them with the latest version which supports TLS 1.2. To get it:
1. Log into the Self Service Portal.
2. Go to to Products > Capture Application.
3. Follow the instructions and click Download Capture when ready.

Note that Capture Application has to be run on Windows 7, Windows Server 2008 R2 (or above) to connect using TLS 1.2.

Electronic Updates

For users of the Electronic Updates Windows Client, a new version of Electronic Updates is available for download from updates.qas.com.
If you've got a custom REST API integration or use the sample code, please see the compatibility diagram to ensure that the middleware will work with TLSv1.2.
Where appropriate, we strongly recommend .NET 4.6 or Java 8. For integrations using OpenSSL (e.g. Ruby or Python), use v1.0.1. For Python, v2.7.9 and above or v3.6 and above.

EDQ for Demandware

 No testing is required.

EDQ for Magento

1. Find the root directory for your integration.
2. Edit the configuration file located in {root}\app\code\community\EDQ\AddressValidation\etc\config.xml.
3. Search for the <endpoint> tag. It should be pointing to ws2.ondemand.qas.com/ProOnDemand/V3/ProOnDemandService.asmx.
4. Change this to ws.verify.ondemand.qas.com/ProOnDemand/V3/ProOnDemandService.asmx.

Note this test domain may have a different IP address based on your geographic location. Make sure that while testing, your system can pass traffic to these IP addresses: 45.60.69.201, 45.60.72.201, 45.60.63.201, 45.60.65.201, 45.60.67.201.

5. If the address validates normally, the test was successful and your environment supports connecting to our servers using TLS 1.2. If the connection fails, you will need to investigate which parts of your infrastructure are not compatible with TLS 1.2. We recommend that you:

6. Change back to your previously used URL.

EDQ for MSCRM

1. Go to the SETTINGS page, and then browse to QASConfiguration.
2. Under User Role Configurations click Default, then Company Installation.
3. In User Role Configurations select https://ws2.ondemand.qas.com/ProOnDemand/V3/ProOnDemandService.asmx.
4. Click Edit.
5. Change EDQ On Demand Data Center to Custom using the dropdown.
6. Change the EDQ On Demand URL to https://ws.verify.ondemand.qas.com/ProOnDemand/V3/ProOnDemandService.asmx.

Note this test domain may have a different IP address based on your geographic location. Make sure that while testing, your system can pass traffic to these IP addresses: 45.60.69.201, 45.60.72.201, 45.60.63.201, 45.60.65.201, 45.60.67.201.

7. If the address validates normally, the test was successful and your environment supports connecting to our servers using TLS 1.2. If the connection fails, you will need to investigate which parts of your infrastructure are not compatible with TLS 1.2. We recommend that you:

8. Once validated, change back to your previously used URL.

EDQ for Salesforce

No testing is required.

Email Automated Batch

No testing is required.

Email Validate (Legacy)

1. Find the API call to Email Validate in your code. There are multiple URLs that may be in use, including api.leadspend.com and api2.qasemail.qas.com.
2. Replace the domain and sub-domains with us4.api2.qasemail.qas.com. Do not change the rest of the URL.

Note this test domain may have a different IP address based on your geographic location. Make sure that while testing, your system can pass traffic to these IP addresses: 45.60.69.201, 45.60.72.201, 45.60.63.201, 45.60.65.201, 45.60.67.201.

3. Test as appropriate for your integration. If the email address validates normally, the test was successful and your environment supports connecting to our servers using TLS 1.2. If the connection fails, you will need to investigate which parts of your infrastructure are not compatible with TLS 1.2.
4. Revert to the previously used URL.

Global Intuitive

This product only supports TLS 1.2 connections. No testing is required.

IST Watch / CorrectAddress Web Service

1. Find the API call to IST Watch/Correct Address Web Service in your code. Both products use the same domain: www.intelligentsearch.com.
2. Replace the domain and sub domains with www.verify.intelligentsearch.com. Do not change the rest of the URL.

Note this test domain may have a different IP address based on your geographic location. Make sure that while testing, your system can pass traffic to these IP addresses: 45.60.69.201, 45.60.72.201, 45.60.63.201, 45.60.65.201, 45.60.67.201.

3. Test as appropriate for your integration. If the address, phone number, or email validates normally, the test was successful and your environment supports connecting to our servers using TLS 1.2. If the connection fails, you will need to investigate which parts of your infrastructure are not compatible with TLS 1.2.
4. Revert to the previously used URL.

Prospect IQ

Prospect IQ has enabled connectivity via TLS 1.2 on the test domain (elstest.experianinteractive.com) only to allow you to test your Prospect IQ integrations.

1. Find the API call to Prospect IQ in your code. There will only be one domain listed in your integration: els.experianinteractive.com.
2. Replace the domain and sub-domains with elstest.experianinteractive.com. Do not change the rest of the URL.
3. Test as appropriate for your integration. If the response is normal, then the test was successful and your environment supports connecting to our servers using TLS 1.2. If the connection fails, you will need to investigate which parts of your infrastructure are not compatible with TLS 1.2. See the compatibility diagram for details.
4. Revert to the previously used URL.

For further information, see the Prospect IQ user guide or contact support.

Product not listed? Contact support