Now that we have all recovered from the sprint to become GDPR compliant, there is another date that everyone should be adding to their diary. June 30th 2018 is the date that the PCI Security Standards Council (PCI SSC) have set for the end of life for early versions of Transport Layer Security (TLS) and Secure Sockets Layer (SSL).
What is TLS and SSL?
TLS and SSL are cryptographic protocols that ensure secure communication between computers and networks. These protocols are used to safeguard both systems, providing authenticity for both parties, and privacy for any sensitive information that is being shared.
Why can we no longer use TLS 1.0 or SSL after June 30th 2018?
PCI SSC have deemed SSL, TLS versions 1.0 and below as no longer a secure form of encryption. Both SSL/TLS are around 20 years old; and because of their universal use, both protocols have been the focus of attackers and researchers of online security methods. Due to their age, various vulnerabilities for both systems have been found.
The type of vulnerabilities for both TLS 1.0 and SSL vary, and are significant. There could be Cryptographic, Implementation, and/or Configuration vulnerabilities in systems that utilise these protocols. This means that your site could become insecure, allowing man-in-the-middle attacks (e.g. POODLE), which would enable the attacker to decipher confidential, encrypted information. On the other hand, you could suffer losing cryptographic keys; this could facilitate the attacker to have access to and to be able to copy long-lived cryptographic keys. Stolen or copied keys will allow the attacker to create harmful code that can observe your company’s movements, decode sensitive customer data, or even mimic your company’s server.
It is important to note that payment terminals (POIs) using either TLS 1.0 or SSL are not as vulnerable to the same issues as systems that are browser-based. You will still be able to use these versions past the 30th of June 2018, however, as a company you will have to be able to demonstrate that these systems are not susceptible to the same weaknesses as mentioned above. The best way to verify this is to ensure that POIs, alongside termination points, have the most recent patches enabled.
What can we do now?
Ecommerce sites are at the highest risk using these outdated protocols, and there are no known fixes for the issues found. Start the migration process today, and check which version of these protocols you are using: TLS 1.0 or lower? You must update this; SSL? You must upgrade to TLS 1.2 or above. Don’t archive this issue as something to start next week; begin the process right away. To keep your site compliant, contact C3 to discuss updating to TLS 1.2 or higher.