As EMV continues being implemented in the United States, businesses will see a reduction in fraud related to “in person” transactions. EMV technology works to prevent criminals from re-using stolen credit card data, however, this could cause an increase in other types of fraud, especially “card not present” transactions. Ecommerce is booming and retailers are not required to check IDs when someone makes a purchase online. They have to trust that the person who is giving the number is an authorized user. In addition, shopping online isn’t always as secure as it seems as criminals very work hard to stay ahead of the game.
The standard that has been in place for the last 20 years or so is SSL, Secure Sockets Layer. This is an encryption protocol was supported by the PCI Security Standards Council. The PCI council is the organization responsible for setting best practice standards for all businesses who accept credit cards. As more and more vulnerabilities come to light, the PCI SSC has focused their attention on requiring a new and more secure form of data encryption called Transport Layer Security, or TLS.
TLS is a type of security protocol designed to allow communications between applications in such a way as to prevent eavesdropping, tampering, or message forgery. The protocol works on two levels – the TLS Record protocol and the TLS Handshake protocol. The TLS Record protocol works by creating a private, reliable connection between a server and a client. It can be used with or without encryption, and a communications relationship between the parties is ensured using special codes and functions. The TLS Handshake Protocol sets up the relationship between the server and client by allowing them to agree upon a specific encryption algorithm and encryption keys before the application protocol starts to send data. Basically, it’s a bit like the movie “The Imitation Game;” where each party has the same code key and uses it to send and decode messages. Only here, all the work is done in the TLS protocol.
The rationale behind moving towards this new technology is simple – while SSL performs a similar process in that it encrypts data between two points such as a web browser and web server, research in 2014 showed that there was a security vulnerability in the protocol which would allow for attackers to extract data from secure connections. This process was even given a cute name – POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption. However, this vulnerability is anything but cute and is a huge risk for organizations that are still using SSL.
TLS has been around for several years in an older version, which also become vulnerable to attacks. However, the new version of TLS is considered to be superior to any other data security service and The PCI Security Standards Council now recommends that all businesses upgrade to the latest version of TLS, which is currently 1.3. For now it is just a recommendation but the Council has set a migration deadline and will require all organizations to migrate from SSL and early versions of TLS to at least TLS 1.1 by June 2018.
If you own a business, you want to deal with a payment processor that is knowledgeable about the security requirements and types of encryption. Maintaining a high level of security not only protects your customers but also your business. Data security breaches can easily cost business over $25,000 in fines and fees alone. Work with a company that cares about your success. Bankcard Brokers is your go to payment processor – reliable, knowledgeable and in compliance with all required security standards.