In the war against increasingly sophisticated hackers, retailers continue to find themselves on the front lines, grappling with the unfortunate reality that there is no easy fix for their difficult security problems. It’s truly a race for retailers — especially as more and more businesses migrate online and to Internet-connected terminals — to find and implement the best security protections.
Take, for example, the aftershock the industry felt after two high-profile bugs, Heartbleed and Poodle, rocked the security world. According to the Payment Card Industry Security Standards Council (PCI SSC), 18 months after the Heartbleed vulnerability was announced there were reportedly still 200,000+ vulnerable devices on the Internet. These vulnerabilities served as a painful reminder that security is only as strong as its weakest link.
For retailers, the weak link is Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) encryption security protocols. In response, the PCI DSS has been evolving rapidly to migrate and upgrade merchants to more secure channels. In its latest standards document, the industry council added TLS 1.0 to its list of vulnerabilities; instructing members to migrate to a more secure version, TLS 1.1 or higher, by June 30, 2018.
Advertisement
Why is this so important to retailers? In layman’s terms, if merchants do not update they will no longer be able to process card transactions as of July 1, 2018. While this changeover deadline appears to be far out, the truth is the earlier a merchant gets started, the smoother the transition will be and the less vulnerable they will be to attack. Here are five essential questions merchants need to ask to better prepare for TLS:
1. What is TLS?
Transport Layer Security (TLS) is an encryption protocol approved by the Payment Card Industry. What’s important for merchants to understand is that it keeps customer data safe through encryption and ensures no third parties can eavesdrop or tamper with messages when servers and clients communicate. It’s involved in every step of the payment chain.
2. What are the basics of the situation?
On July 1, 2018, an encryption method called TLS 1.0 will no longer be approved by the Payment Card Industry. Merchants must update to a newer version of TLS before that day, or they can no longer process card payments.
3. Why was this decision made?
The Payment Card Industry is taking a proactive step here, laying out a depreciation plan for a particularly weak encryption algorithm before hackers develop too many ways to exploit it. While there have been no known breaches of TLS 1.0 to date, the writing is on the wall. It’s critical merchants heed this mandate and upgrade to either TLS 1.1 or 1.2 before the July 1, 2018 deadline.
4. What happens if a merchant doesn’t update?
If a merchant doesn’t update before July 1, 2018, they will no longer be able to process card transactions as of that day. The potential impact on the U.S. economy will be tremendous. Proactive communication is vital across the board to onboard merchants and vendors with the transition in a timely manner.
5. The deadline seems so far away?
While this deadline is nearly a year away, the retail industry’s history with large payment technology changes — most notably, the EMV / chip card switchover and the SHA update — indicates that processors and merchants alike should plan far in advance.
Merchants have increased responsibility to do everything within their power to ensure that the transactions across all channels are secure. There is no question that the migration away from SSL and early TLS is critically important, and absolutely necessary to protect payment data and other sensitive personally identifiable information. Waiting is not recommended. With each day that passes, anyone still using SSL and early TLS risks being breached.
As CEO and Co-Founder of Cayan™, Henry Helgeson is responsible for driving the future vision of the company, ensuring that Cayan remains at the forefront of payments innovation. Determined to find a lower cost solution for small businesses, Helgeson launched Cayan (formerly Merchant Warehouse) in 1998, the first company to provide easily accessible and affordable credit card processing services and equipment. He led the launch of Genius®, an industry-leading payment technology platform that now powers payment acceptance at thousands of leading retailers and businesses throughout the U.S., and he continues to drive expansion of the Genius platform as well as new product offerings and value-adds. Helgeson is involved in numerous industry associations and is an active member of the Electronic Transactions Association’s (ETA’s) Mobile Payments Committee.
