Monthly Archives: March 2017
Will Your Payment Processing Break Due To Mandatory Security Update? – 2017 Deadline Approaching for TLS 1.2 Requirement
The PCI Security Council has mandated that online merchants who accept credit cards must upgrade from the older SSL and early TLS security protocols, to the newer TLS 1.2 protocol. The required implementation dates to remain in compliance have changed multiple times, causing merchant confusion. To further this confusion, individual gateways and processors have their own implementation timelines for TLS 1.2 support.
Due to recent high profile attacks, some vendors have decided to expedite the transition to TLS 1.2 and completely end support of the older, less secure protocols. This was primarily done because of the known risks of the older security protocols and the PCI Security Council’s assessment of the risk to merchants. The PCI Security Council has stated, “The vulnerabilities within SSL and early TLS are serious and left unaddressed put organizations at risk of being breached.” Because of these known risks, payment technology vendors have become more aggressive in their implementation timeframes and are in the process of deprecating the older protocols beginning in 2017.
One such company is PayPal. PayPal just recently turned off support of the older protocol for test environments and will completely stop supporting the older protocols by June 30, 2017. FOR MERCHANTS USING A PAYPAL PAYMENT GATEWAY WHO HAVE NOT UPGRADED THEIR SYSTEMS TO SUPPORT TLS 1.2, CREDIT CARD PROCESSING SERVICES WILL NO LONGER WORK AFTER THAT DATE.
Dates to know:
- PCI Security Council original date of TLS 1.2 compliance was 2016
- PCI Security Council new date of TLS 1.2 compliance is June, 2018
- PayPal testing environment ended support of older protocols on February 15, 2017
- PayPal production environment ends support of older protocols on June 30, 2017
How do you ensure you will be able to accept credit card payments after the June 30, 2017 deadline? The first thing merchants should do is contact their systems providers to determine all of the payment gateway connections their solution employs. Merchants should then verify that their solution has been upgraded to support the TLS 1.2 protocol. This often times reveals a spider web of connections. Many solution providers support a variety of gateways to reach a particular processing platform.
In the example of PayPal, merchants may be unaware that their payment acceptance solution could utilize technology from PayPal even if they do not accept PayPal as a form of payment. PayPal Holdings, Inc. has acquired various payment technologies and companies (i.e. PayFlow Pro, BrainTree, Venmo, etc.) that many payment solutions employ in the background. If a merchant’s solution utilizes a PayPal gateway and hasn’t been upgraded to support TLS 1.2, it will stop functioning after the June 30, 2017 date.
To avoid credit card acceptance interruption and protect yourself against malicious attacks, you should:
- Upgrade your systems to support the latest security protocol TLS 1.2
- Start your upgrade process today. System upgrades take time and a backlog is already forming with many vendors. This will result in many merchants unable to accept credit card payments after June 30, 2017
- Nodus customers should contact Nodus Support to discuss their upgrade options and ensure that the software versions they are using support TLS 1.2
- Migrating from SSL & Early TLS webinar by PCI Security Standards Council
- Date Change for Migrating from SSL and Early TLS
- PayPal TLS 1.2 and HTTP/1.1 Upgrade Microsite
- Nodus TLS 1.2 Security Update
Chester Ritchie is the President of Nodus Technologies (http://www.nodus.com). Nodus is a certified Microsoft Gold Level Partner for payment software within the Microsoft Dynamics family of accounting systems. Nodus products allow users of Great Plains (GP), Solomon (SL), and AX to accept electronic payments inside of the accounting system. Accounting entries related to payments are automated and cash flow is increased.