Preparing Your Merchants for the TLS Switch
The TLS switch deadline hits June 30, 2018. All applicable merchants must use TLS 1.1 encryption (as a minimum) by June 2018, or they won’t be able to process any card transactions at all. PCI has drawn this line in the sand as an absolute necessity to ensure the protection of cardholder data. Because the TLS switch may be complex for many merchants, it’s crucial to get the process rolling now to avoid loss of revenue.
What is TLS?
TLS (transport layer security) version 1.2 is the most updated encryption protocol approved by PCI for online data communication. It’s the successor to SSL encryption, which for the past 20 years was the primary driver for all the “https” secure connections we’re used to seeing online.
The problem is SSL (and even TLS 1.0) are no longer secure encryption methods. SSL and TLS 1.0 leave consumers and businesses wide open to data theft from an endless variety of hacks. Do the terms Heartbleed, DROWN or POODLE ring a bell? They’re infamous bugs that infiltrate SSL and TLS 1.0 communications, and the source of countless millions of dollars lost due to data theft.
The vulnerabilities in SSL and TLS 1.0 are so severe there's no way to patch them. It was necessary to develop an entirely new TLS protocol, 1.1 (and its update, 1.2)
Who needs to upgrade?
The TLS update applies to all merchants who operate e-commerce sites, as well as merchants who transmit any form of payment data via IP. Merchants with a dedicated dial-up connection for a single terminal, or terminals that operate only within a closed-loop intranet, may find themselves exempt. However, the vast majority of merchants will need to upgrade. Vulnerable systems may include point of sale terminals, virtual payment terminals, back office servers, and even user computers. SSL and TLS 1.0 simply have no place in responsible data protection, and PCI compliance mandates their replacement.
When to upgrade?
Most major payment gateways, banks and processors have already made the switch, and are still permitting downgraded transactions for merchants who haven’t. But it’s absolutely crucial to get merchants moving on the migration now. Because this process may be complex, it’s unwise to delay. While migrating may be tedious, it’s a much better alternative than dealing with a data breach. And as of next summer, it’s the only way to keep their businesses online and operational.
What’s involved?
Every merchant setup is different. There is no one size fits all solution. For many merchants, migration will be a complex process. Because of this, PSPs are facing a fair level of merchant pushback and delays. And who can blame them? Half of US merchants are still in the throes of the EMV migration, let alone trying to address a new mandate.
Merchants are just not interested in considering another time-intensive, inconvenient and possibly costly revamp. And it’s likely that, for many merchants, the TLS switch will be a significant upgrade indeed. Every internet-facing system that handles payment data, as well as many other web-linked software systems, will need to be included.
PCI recommends that merchants develop a risk mitigation and migration plan, to determine their organization’s vulnerabilities and plan their implementation. Luckily, PCI provides information to help merchants get started. Click here for a helpful document you can provide to your merchants.
Software and system upgrades can be especially burdensome for small merchants. If a merchant absolutely can’t (or won’t) upgrade their operating systems, they have some limited options. Third party developers have created patches to make some older operating systems TLS 1.2 compliant. But be forewarned, these workarounds will still require dedicated programming time.
Overcoming Objections
The fact is, there is just no easy way to get around the work the TLS update may involve. But unlike EMV, the TLS switch is not voluntary. If merchants are not compliant, they will not be able to perform transactions, period.
PSPs need to explain the mandatory aspect of this update, and remind merchants of the drop-dead date. After all, no one can afford to be cut off cold as of June 2018.
By assisting your merchants in determining their vulnerabilities and beginning their migration plans, payment service providers can be an invaluable resource during this transition process.
in Industry News, Security, Best Practices