If your e-commerce business processes payments with cards on your website and you haven’t yet met requirements for use of modern encryption (TLS 1.1 and 1.2), then come June 30, 2018, your business will be in violation of the PCI Data Security Standard (PCI DSS). The upcoming PCI compliance deadline is approaching — and fast!
To help you prepare, we have put together a short FAQ. Our team is prepared to help you meet these requirements before the PCI compliance deadline. Please get in touch today!
What is SSL and TLS?
SSL stands for Secure Socket Layer, and TLS stands for Transport Layer Security. Both are cryptographic protocols used to secure transmissions between systems, typically a web server and a web browser. SSL is an older security protocol developed in the 1990s; the last release of SSL was in 1996. As of 2014, SSL is no longer considered secure.
Released in 1999, TLS has replaced SSL. TLS has three iterations and only TLS 1.1 or higher is considered secure.
What is the risk of using SSL/early TLS?
There are many vulnerabilities that haven’t been addressed in SSL and early TLS. Don’t let your organization be compromised by attackers that have learned to take advantage of the weaknesses in these old protocols. There are no fixes or patches to adequately repair SSL or early TLS so it’s important to make the upgrade a priority.
Online and e-commerce businesses using SSL and early TLS are most susceptible to attack. The June 30 deadline applies to all environments except for payment terminals that can be verified as not being susceptible to any known exploits for SSL and early TLS.
What’s the significance of the June 30th PCI compliance deadline?
In April 2015, after realizing that all version of SSL and TLS1.0 were vulnerable to attacks, the Payment Card Industry (PCI) released new Data Security Stands (DSS) that declared these versions to be insecure and announced that these systems will no longer be compliant. June 30, 2018 was chosen as the PCI compliance deadline. You can read more about the reason for the deadline directly from PCI.
What if I have a mitigation and migration plan in place with my ASV?
In order for your business to claim you are PCI compliant while using older SSL and TLS 1.0 between 2015 and June 30, 2018, you would have had to submit a mitigation and migration plan to a PCI Automated Scanning Vendor (ASV) on a quarterly basis. After the June 2018 PCI compliance deadline, ASVs will no longer accept mitigation and migration plans as an exception, meaning these companies will no longer be able to claim compliance.
What action should be taken to protect against SSL and early TLS vulnerabilities to maintain compliance?
Because there are no fixes or upgrades that can be applied to SSL or TLS1.0, the only option is to upgrade to TLS1.1 or 1.2. To conduct an upgrade, server changes must be made to disable to ability of the server to fallback to SSL or TLS1.0. PCI compliant companies must perform this modification to continue remaining compliant.
Is there a risk in not upgrading?
Yes! Not upgrading means that your website communications are no longer secure, and an attack could be gathering customer data. Also, if you are no longer PCI compliant and continue to operate, your business may face fines by PCI.
How can WSM help me take action?
WSM offers a full range of PCI compliance services. We can assist your business with upgrading your TLS to a compliant version to make sure that your business continues to maintain compliance. Avoid fines, protect your customers, win-win. Contact us today!