June 30, 2018, was the deadline for companies to upgrade to TLS 1.2 or TLS 1.1, as mandated by the PCI Security Standards Council. Companies that didn’t upgrade received warnings from their payment gateways, or in some cases were unable to process credit cards at all.
If you received a notification or warning that you must update your systems to TLS 1.1 or higher or if you found yourself unable to process payments, now is the time to take action and upgrade.
What is TLS?
TLS (Transport Layer Security) is a security protocol used for transporting data across online networks. TLS protects the information you exchange online from being viewed by outside parties. It is especially important in digital payment transactions, where credit card information and other sensitive information is handled.
TLS has been an integral component of web security for over 20 years. Its earliest version was developed in the early 1990s and was called SSL (Secure Socket Layer). SSL 1.0 and SSL 2.0 had numerous security risks, but in 1996, SSL 3.0 addressed these issues and became one of the default security protocols across the web.
TLS 1.0 was developed in 1999 as an update to SSL 3.0. Its use as a standard protocol became widespread, and it was followed by updates TLS 1.1 and TLS 1.2.
The PCI Security Standards Council ruled that businesses using TLS 1.0 or the older SSL 3.0 must upgrade to TLS 1.1 or TLS 1.2 (ideally TLS 1.2) by June 30, 2018, or face the inability to process payments.
Why upgrade to TLS 1.2?
TLS 1.0 and SSL 3.0 have several well-known security flaws that have already been exploited by hackers. The BEAST and POODLE incidents (serious in nature, while hilarious in name) are examples of widespread exploitation of these flaws.
The PCI Security Standards Council states that there are no patches that can fix these security flaws. Therefore, it is crucial that systems that utilize TLS or SSL be upgraded to TLS 1.1 or TLS 1.2. As TLS 1.2 is the most current version of TLS and addresses several issues with TLS 1.1, we strongly recommend upgrading to this version.
Systems that do not use TLS 1.1 or higher after June 30, 2018, will cease to function properly, as required by the PCI Security Standards Council.
Businesses that did not upgrade their systems by the deadline have already been negatively impacted. Many were left without the ability to process credit cards or perform similarly crucial functions.
Keep in mind that even if your systems continue to work without the mandatory TLS update, you’re putting your customers’ information at risk by utilizing outdated TLS or SSL protocol. If a data breach does occur, your business will likely suffer enormous fines from the PCI Security Standards Council and lose the trust of your customers.
How to upgrade to TLS 1.2
The mandatory TLS upgrade affects many systems, including (but not limited to) online stores, payment gateways, and locally installed software.
Most online systems, such as your payment gateway and online store, have already been updated on the back end, so there’s probably no action required on your part.
If one of your systems notified you of the mandatory TLS upgrade, make sure to fully read the notification. And if the notification provided you with instructions on how to upgrade, follow the instructions.
Certain systems stored locally on your own servers or devices, such as payment integrations, will also require the TLS upgrade. However, it’s hard to determine right off the bat what you’ll need to upgrade. It all depends on your business’s unique setup.
Due to the inherent complexity of this issue, we recommend calling your payment processor, acquiring bank, or accounting software consultant to discuss your system. They will be able to tell you what needs to be upgraded and how to do it.
If you process with Century Business Solutions, upgrading your system to TLS 1.2 is as simple as reaching out to our support team at 888-500-7798. They’ll be able to upgrade your payment integration in a matter of minutes, ensuring your system is secure and up-to-date.
While the June 30 deadline has passed, it’s not too late to upgrade to TLS 1.2. Most browser-based systems (like your payment gateway) have already been updated on the back end, but there’s a good chance that any local software you use to handle payments needs to be upgraded. If you’re unsure of which systems need to be upgraded, reach out to one of the institutions that handles your payment processing, such as your credit card processor or acquiring bank.