Recently, credit card gateways have forced compliance to the use of TLS 1.2 protocol. It’s been a headache for any small to midsized enterprise (SME) that accepts credit cards and has an online/eCommerce platform. With businesses now transitioning to a more secure encryption protocol, SSL and earlier versions of TLS are no longer being accepted. It is recommended that SMEs adopt TLS version 1.2 to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. But there are some Vision33 customers asking why this upgrade was necessary. Here's some explanation.What is TLS?
TLS stands for Transport Layer Security. It, along with its predecessor, Secure Sockets Layer (SSL) are examples of cryptographic protocols. Their purpose is to provide secure communications over a computer network between two systems. They’re used to authenticate one or both systems and protect the confidentiality of the data transmitted. The simplest example would be a customer buying a product from an online retailer using a credit card or an integration point with SAP Business One and an eCommerce system. The protocols ensure that the sensitive information isn't intercepted by a third party and compromised.
Why Was the Upgrade Necessary?
For 20 years, Secure Sockets layer (SSL) was one of the most widely-used encryption protocols. Like many encryption technologies, over time they become less secure with exploits that are discovered. In recent years, that’s what’s happened. The Payment Card Industry (PCI) have announced that SSL and TLS 1.0 are no longer secure.
In 2014, PCI removed SSL as a recommended cryptographic protocol as it had become unsafe. Well known exploits including “POODLE” and “Heartbleed” prove that anyone using SSL is at risk of data breach. And according to the National Institute of Standards and Technology (NIST), there won’t be any fixes or patches available for SSL or earlier version of TLS to secure standards. Hence the movement towards newer, secure protocols.
What Type of Businesses Are Most at Risk?
Online and eCommerce environments using SSL and early TLS are the most susceptible. However, following August 2018, PCI DSS migration date applies to all environments - (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible. That is why it is important for companies that do business with an eCommerce provider to ensure that they upgrade to a secure alternative as soon as possible.
The Upgrade to TLS 1.2
The latest PCI compliance standards require that any website that accepts credit card payments from their customers use TLS 1.2 by August 2018. A lot of internet services now require support of TLS 1.2 including many of which that are integral to doing business like PayPal, Authorize.net, Stripe, UPS, and FedEx. These companies have stated that they will eventually refuse earlier version of TLS 1.0 connections which is why it is important to move to migrate to TLS 1.2 sooner to avoid service disruption and loss to your business.
The upgrade to TLS 1.2 security ensure that businesses are protected from security vulnerabilities, data breaches, and cyber-attacks, allowing you to safely process credit card transactions in junction with SAP Business One. The good news for Vision33 customers that were affected, we’ve been aware of this and are happy to report that many of our software partners are already TLS 1.2 compatible.
Hopefully that provides some clarification, if you have any additional questions about TLS 1.2 please contact a certified Vision33 consultant, they are happy to help.