Will Your Payment Processing Break Due To Mandatory Security Update? – 2017 Deadline Approaching for TLS 1.2 Requirement
The PCI Security Council has mandated that online merchants who accept credit cards must upgrade from the older SSL and early TLS security protocols, to the newer TLS 1.2 protocol. The required implementation dates to remain in compliance have changed multiple times, causing merchant confusion. To further this confusion, individual gateways and processors have their own implementation timelines for TLS 1.2 support.
Due to recent high profile attacks, some vendors have decided to expedite the transition to TLS 1.2 and completely end support of the older, less secure protocols. This was primarily done because of the known risks of the older security protocols and the PCI Security Council’s assessment of the risk to merchants. The PCI Security Council has stated, “The vulnerabilities within SSL and early TLS are serious and left unaddressed put organizations at risk of being breached.” Because of these known risks, payment technology vendors have become more aggressive in their implementation timeframes and are in the process of deprecating the older protocols beginning in 2017.
One such company is PayPal. PayPal just recently turned off support of the older protocol for test environments and will completely stop supporting the older protocols by June 30, 2017. FOR MERCHANTS USING A PAYPAL PAYMENT GATEWAY WHO HAVE NOT UPGRADED THEIR SYSTEMS TO SUPPORT TLS 1.2, CREDIT CARD PROCESSING SERVICES WILL NO LONGER WORK AFTER THAT DATE.
Dates to know:
- PCI Security Council original date of TLS 1.2 compliance was 2016
- PCI Security Council new date of TLS 1.2 compliance is June, 2018
- PayPal testing environment ended support of older protocols on February 15, 2017
- PayPal production environment ends support of older protocols on June 30, 2017
How do you ensure you will be able to accept credit card payments after the June 30, 2017 deadline? The first thing merchants should do is contact their systems providers to determine all of the payment gateway connections their solution employs. Merchants should then verify that their solution has been upgraded to support the TLS 1.2 protocol. This often times reveals a spider web of connections. Many solution providers support a variety of gateways to reach a particular processing platform.
In the example of PayPal, merchants may be unaware that their payment acceptance solution could utilize technology from PayPal even if they do not accept PayPal as a form of payment. PayPal Holdings, Inc. has acquired various payment technologies and companies (i.e. PayFlow Pro, BrainTree, Venmo, etc.) that many payment solutions employ in the background. If a merchant’s solution utilizes a PayPal gateway and hasn’t been upgraded to support TLS 1.2, it will stop functioning after the June 30, 2017 date.
To avoid credit card acceptance interruption and protect yourself against malicious attacks, you should:
- Upgrade your systems to support the latest security protocol TLS 1.2
- Start your upgrade process today. System upgrades take time and a backlog is already forming with many vendors. This will result in many merchants unable to accept credit card payments after June 30, 2017
- Nodus customers should contact Nodus Support to discuss their upgrade options and ensure that the software versions they are using support TLS 1.2
- Migrating from SSL & Early TLS webinar by PCI Security Standards Council
- Date Change for Migrating from SSL and Early TLS
- PayPal TLS 1.2 and HTTP/1.1 Upgrade Microsite
- Nodus TLS 1.2 Security Update
Chester Ritchie is the President of Nodus Technologies (http://www.nodus.com). Nodus is a certified Microsoft Gold Level Partner for payment software within the Microsoft Dynamics family of accounting systems. Nodus products allow users of Great Plains (GP), Solomon (SL), and AX to accept electronic payments inside of the accounting system. Accounting entries related to payments are automated and cash flow is increased.
Verifone announced the discontinuance of the PCCharge and PAYWare credit card processing software titles in 2015. All development, orders, and shipments have been discontinued. Late last year, Verifone also ceased all support of the products.
The reason for the end-of-life of these popular products was due to legacy technology and their lack of security. These products were on-premise installed software that acted as a middleware between many applications and the credit card processor. They put merchants at risk of a hacker attack by storing credit card cardholder information locally on merchant computers. Merchants would be liable for any losses that occur if their local environment is compromised and these credit card numbers are stolen.
How To Protect Your Business
There are a large number of businesses still running versions of PCCharge and PAYWare today. It is extremely important to cease using these products immediately and switch to a newer solution for your credit card processing and merchant service needs
The Nodus PayFabric payment processing gateway can be used to replace PCCharge or PAYWare with minimal interruption to your business. PayFabric is a cloud-based solution that removes local storage of credit cards and places them in the off-premise secure Nodus cloud. Credit card information is further safe-guarded by encrypting cardholder information and tokenizing the stored information.
Nodus PayFabric is already integrated to many ERP, CRM and business line software solutions. Nodus has been the payment solution for Microsoft Dynamics accounting systems for over 14 years. In addition to providing a secure credit card processing solution, Nodus payment solutions integrate with your accounting system to automate accounting entries, provide lowest rates for B2B transactions, and get you paid faster by automating A/R.
For more information on how to upgrade your Verifone PCCharge or PAYWare software to PCI compliant credit card processing software, please visit http://www.nodus.com or call us at 909-482-4701.