Support will end for TLS 1.0 encryption protocol
For millions of merchants, the path to compliance recently took a sharp turn when the Payment Card Industry Security Standards Council announced it would no longer support Transport Layer Security 1.0 (TLS 1.0) as of June 30, 2018. For merchants with stand-alone payment terminals, adopting the TLS 1.1 or TLS 1.2 security protocol will require little more than a simple software download. However, merchants with multiple payment terminals running on a pre-Windows 7 OS or on older hardware may find the transition complex, time-consuming and even costly.
Why the switch?
While an 18-year-old person may be considered young, an 18-year-old encryption protocol is probably ready for retirement. Since the 1999 release of TLS 1.0, cyber criminals have had an opportunity to test virtually every window and door in the protocol—making it too vulnerable to remain viable. The replacement protocols, TLS 1.1 and TLS 1.2, were developed in 2006 and 2008, respectively, and are much more secure. Switching to either of the new encryption protocols as soon as possible allows merchants to add a much-needed layer of security and helps them beat the rush to meet the deadline.
Merchants that don’t upgrade to the TLS 1.1 or TLS 1.2 encryption protocol by the June 2018 deadline won’t be able to process any card transactions, resulting in lost revenue and frustrated customers. Depending on how complex a merchant’s payment processing system is, implementing either of the new security protocols can involve purchasing new computer hardware, installing software and training employees to use the new system. Each step takes time, so merchants shouldn’t wait until the last minute to bring their payment systems into compliance.
Eliminating a non-compliant merchant’s ability to perform card-based transactions may seem harsh, but it’s necessary to protect consumers.
Regardless of whether a merchant is accepting cards online via a checkout page or via a POS system or terminal, payment data requires security protocols to travel, even when tokenization and point-to-point encryptions are utilized. Earlier protocols, including SSL and TLS 1.0, were the targets of specifically-designed malware that exploited their vulnerabilities.
Should my business adopt TLS 1.1 or TLS 1.2?
TLS 1.2 contains some corrected entries and was released about four months after version 1.1, leading some ISO/MSP organizations to advise using the later version. TLS 1.3, an even newer version currently in development, has no set release date yet. So for the time being, updating to either TLS 1.1 or 1.2 will keep merchant terminals and POS systems humming along once TLS 1.0 is no longer an option.
If you need assistance updating from TLS 1.0, contact National Merchants Association—a payments industry innovator that takes security as seriously as you do. NMA provides the industry updates, education and advocacy your business needs to stay competitive. Contact National Merchants Association today for information or to learn more.