Those of you with e-commerce websites have expressed some concern over some worrisome messages from your payment gateways such as Authorize.net or PayPal that you have been receiving throughout the year and how you may be affected.
The Payment Card Industry (PCI) Security Standards Council is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. The Council's founding members, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI Security Standards Council.
Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Both SSL and TLS are commonly referred to as SSL. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008. TLS 1.3 is still being finalized. There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations. According to the National Institute of Standards and Technology (NIST), there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
To comply, your payment gateways that process your credit card transactions are required to disable early TLS by June 30th, 2018. PayPal has actually already started blocking early TLS connections as of June 30th of this year. Authorize.Net will start to block these connections on February 28th, 2018.
Be assured, all of our servers that your websites are currently hosted on are in compliance with TLS 1.2, so your websites should not be affected by these deadlines.
You may however experience some issues with secure websites across the globe if your particular browser is not up to date. Browsers released prior to 2014 may not support TLS 1.2. You can check your browser's TLS support by visiting https://www.howsmyssl.com.