Right now, if you’re using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) 1.0 protocols, you’re at risk for a data breach. A number of vulnerabilities have been found in this early encryption protocol, causing the card brands to require a security upgrade in order for businesses to meet the Payment Card Industry Data Security Standards (PCI DSS) moving forward.
But first, what exactly is TLS? It’s a cryptographic protocol that helps establish secure communication between two systems. It authenticates the systems and protects the confidentiality of the information passing between them.
This update in PCI DSS requirements is the result of known protocol, implementation and configuration vulnerabilities that allow for Man-in-the-Middle attacks. For instance, the POODLE and BEAST vulnerabilities could reveal encrypted messages and secure cookies, respectively.
Any organization that processes, stores or transmits cardholder information is at risk and needs to upgrade to TLS 1.1 or higher (TLS 1.2 is recommended). Due to the pervasiveness of TLS, it’s a major target for hackers, requiring a complete cutover to the new system and the disabling of any fallbacks.
The deadline for the switch is June 30, 2018. All acquirers, processors, gateways and service providers that have yet to upgrade will be required to provide the Approved Scanning Vendor with documented confirmation that they have their Risk Mitigation and Migration Plan and are ready to make the transition by the deadline. However, just because the deadline is in a couple of months doesn’t mean you can’t be impacted sooner. Payment processing providers are already making the switch, and a lack of proactive communication between providers and developers can lead to negative consequences, such as an inability to accept payments.
Service Interruptions Due to TLS Upgrades
Software companies with integrated payments have the biggest risk of TLS-related hacks and are also more likely to encounter issues during this upgrade period. Some providers are updating their TLS without communicating with the developers managing the existing integrations. With no advance warning or collaboration, these upgrades are causing payment processing issues up to and including complete termination of services. This jeopardizes the relationship between software vendors and their clients, as the end user cannot process credit card payments from their customers.
While browser-based systems have encountered more vulnerabilities, it’s important to note that payment terminals may also use SSL or TLS 1.0 encryption protocols and may need replacement if there are known SSL and early TLS exploits.
The main goal of developing a software application is to develop something that is effective and that fulfills the end-users’ needs. Vendors leveraging a payment API may encounter situations in which their providers don’t meet the June 30 deadline and let their payments fail. Software vendors should do one of two things:
- Proactively reach out about the TLS 1.1 upgrade scheduled for June 30 to determine the provider’s timeline and assist with any technical issues that arise from an upgrade.
- In the event that payment processing ceases and no movement toward a solution is made, look to providers that demonstrate proactive customer service and partnership with their integrations.
If you’re experiencing TLS issues with your provider, we can help. Simply fill out this form, and we’ll reach out about restoring your payment processing and securing your web application to PCI Level 1 requirements.
What issues have you encountered upgrading your TLS to TLS 1.1 or TLS 1.2? Do you have any advice, questions or recommendations to share?