PCI DSS

There’s a new lawman in town, and his name is PCI Compliance. If you’re one of those merchants that like to treat the rules surrounding PCI compliance like the mall cop of credit card processing you’re soon in for a rude awakening. Ignore this one thing and all your payment transactions will come to a grinding halt on July 1, 2018.

Merchants are notorious for ignoring the PCI compliance rules. Running a business is an incredibly time consuming and taxing  endeavor to say the least. So when you have to spend time on things that seemingly don’t have anything to do with your business it can be frustrating. But merchants need to look at data security as an integral part of running a business, as opposed to just another extra thing somebody is making them do. I am convinced that at the core of every merchant is the desire to protect their business and their hard earned customers from the greedy hands of hackers. One of the best ways to do that is to stay on top of PCI Security Standards.

They are trying to protect people, but they need your help to make it all work. The protection that once came with Secure Socket Layer (SSL) and early versions of Transport Layer Security (TLS) have been exploited. The PCI Security Standards Council (PCI SSC) has set a deadline of July 1, 2018 for merchants to make sure all of their equipment is updated to the newer security protocol TLS 1.2. After that, they will no longer support any transactions from merchants who are noncompliant and those merchant’s payment processing will be halted completely.

Which merchants will this new security mandate effect?

This requirement applies to anyone whose payments are made over public internet. Online retailers making transactions through web browsers will need to make sure their websites are updated.  Any merchant operating POS terminals using older SSL or early TLS protocols such as TLS 1.0  are the merchants that they are targeting here. So this would not apply to merchants who are sending payment information with a terminal over a phone line.

What is TLS 1.2?

TLS, or transport layer security, is the new security protocol upgrade from SSL (secure socket layer). It is a cryptographic protocol that is used to protect the confidentiality and integrity of information as it is transferred between two systems. TLS 1.2 is the newest encryptionprotocol overseen by the Internet Engineering Task Force.

The PCI Council has informed all payments providers that “Due to a number of security concerns the PCI council has determined that payments providers must disable SSL and early versions of TLS by June 2018. “ Anyone who is still running with SSL or early versions of TLS are seriously at risk for a data breach. It is critical that everyone update to the new protocols instead of trying to fix the old ones. There really is no fix or security patch that can adequately repair the weaknesses in the older protocols that hackers have been able to take advantage of.

All merchants that process transactions that rely on the Internet and do not comply with the PCI mandate will find they are unable to process any transactions as of the July 1 deadline. The PCI Council has mandated that TLS 1.1 or higher is required to be considered compliant, but highly recommend updating to TLS 1.2. And honestly, if you’re going to do it why not update to the most recent update? They are also currently in the midst of creating TLS 1.3 as of the beginning of 2018 that will released later this year.

But depending on your service provider, you might have to be compliant much sooner.  Datawire, which is the processing service utilized by First Data, has chosen to only support TLS 1.2, the most recent version of the security protocol, and has required their merchants to become compliant by Feb. 15.

Others are going to do some testing before laying down the hammer by temporarily shutting down the processing for anyone who is still running on the older standards in order to spur them into updating before the deadline arrives.

Updating to TLS 1.2 is easy so don’t put it off.

The new TLS 1.1 and 1.2 protocols were created in 2006 and 2008 respectively so it is hard to believe there is anyone still running on older SSL and early TLS protocols. But the fact is millions are.

A simple software download is all merchants need to become compliant with the new security protocol if all they have is a stand alone payment terminal.

However, merchants who have numerous terminals or are still using older windows systems will need to take a few more steps to become completely compliant.

Online merchants will have to update their websites, POS terminals and computers running the POS software will require the update as well. Merchants will need to contact their POS providers, website developers, as well as their merchant service providers.

At Bankcard Brokers we pride ourselves on taking security seriously and strive to make sure all of our merchants are educated and up to date on all PCI requirements.  Bankcard Brokers is an innovator in the payments industry, advocating for merchants and going the extra mile to help to ensure their success. Please don’t hesitate to contact Bankcard Brokers to get the assistance you need in updating to the newer more secure protocols before time runs out.