{"id":27943,"date":"2017-10-03T04:00:00","date_gmt":"2017-10-03T08:00:00","guid":{"rendered":"https:\/\/goebt.com\/https-blog-cdesolutions-com-2017-10-preparing-your-merchants-for-the-tls-switch\/"},"modified":"2025-04-02T13:32:12","modified_gmt":"2025-04-02T17:32:12","slug":"preparing-your-merchants-for-the-tls-switch","status":"publish","type":"post","link":"https:\/\/goebt.com\/preparing-your-merchants-for-the-tls-switch\/","title":{"rendered":"Preparing Your Merchants for the TLS Switch"},"content":{"rendered":"<p><span id=\"hs_cos_wrapper_post_body\" class=\"hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text\" style=\"\" data-hs-cos-general-type=\"meta_field\" data-hs-cos-type=\"rich_text\"><\/p>\n<p>The TLS switch deadline hits June 30, 2018. All applicable merchants must use TLS 1.1 encryption (as a minimum) by June 2018, or they won\u2019t be able to process any card transactions at all.<strong>&nbsp;<\/strong>PCI has drawn this line in the sand as an absolute necessity to ensure the protection of cardholder data. Because the TLS switch may be complex for many merchants, it\u2019s crucial to get the process rolling now to avoid loss of revenue.<\/p>\n<p> <!--more--><\/p>\n<p><strong>What is TLS?<\/strong><\/p>\n<p>TLS (transport layer security) version 1.2 is the most updated encryption protocol approved by PCI for online data communication. It\u2019s the successor to SSL encryption, which for the past 20 years was the primary driver for all the \u201chttps\u201d secure connections we\u2019re used to seeing online.<\/p>\n<p>The problem is SSL (and even TLS 1.0) are no longer secure encryption methods. SSL and TLS 1.0 leave consumers and businesses wide open to data theft from an endless variety of hacks. Do the terms Heartbleed, DROWN or POODLE ring a bell? They\u2019re infamous bugs that infiltrate SSL and TLS 1.0 communications, and the source of countless millions of dollars lost due to data theft.<\/p>\n<p>The vulnerabilities in SSL and TLS 1.0 are so severe there&#8217;s no way to patch them. It was necessary to develop an entirely new TLS protocol, 1.1 (and its update, 1.2)<\/p>\n<p><strong>Who needs to upgrade?<\/strong><\/p>\n<p>The TLS update applies to all merchants who operate e-commerce sites, as well as merchants who transmit any form of payment data via IP. Merchants with a dedicated dial-up connection for a single terminal, or terminals that operate only within a closed-loop intranet, may find themselves exempt. However, the vast majority of merchants will need to upgrade. Vulnerable systems may include point of sale terminals, virtual payment terminals, back office servers, and even user computers. SSL and TLS 1.0 simply have no place in responsible data protection, and PCI compliance mandates their replacement.<\/p>\n<p><strong>When to upgrade?<\/strong><\/p>\n<p>Most major payment gateways, banks and processors have already made the switch, and are still permitting downgraded transactions for merchants who haven\u2019t. But it\u2019s absolutely crucial to get merchants moving on the migration now. Because this process may be complex, it\u2019s unwise to delay. While migrating may be tedious, it\u2019s a much better alternative than dealing with a data breach. And as of next summer, it\u2019s the only way to keep their businesses online and operational.<\/p>\n<p><strong>What\u2019s involved?<\/strong><\/p>\n<p>Every merchant setup is different. There is no one size fits all solution. For many merchants, migration will be a complex process. Because of this, PSPs are facing a fair level of merchant pushback and delays. And who can blame them? Half of US merchants are still in the throes of the EMV migration, let alone trying to address a new mandate.<\/p>\n<p>Merchants are just not interested in considering another time-intensive, inconvenient and possibly costly revamp. And it\u2019s likely that, for many merchants, the TLS switch will be a significant upgrade indeed. Every internet-facing system that handles payment data, as well as many other web-linked software systems, will need to be included.<\/p>\n<p>PCI recommends that merchants develop a risk mitigation and migration plan, to determine their organization\u2019s vulnerabilities and plan their implementation. Luckily, PCI provides information to help merchants get started. Click here for a <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/Migrating_from_SSL_and_Early_TLS_-v12.pdf\" rel=\"noopener\">helpful document<\/a> you can provide to your merchants.<\/p>\n<p>Software and system upgrades can be especially burdensome for small merchants. If a merchant absolutely can\u2019t (or won\u2019t) upgrade their operating systems, they have some limited options. Third party developers have created patches to make some older operating systems TLS 1.2 compliant. But be forewarned, these workarounds will still require dedicated programming time.<\/p>\n<p><strong>Overcoming Objections<\/strong><\/p>\n<p>The fact is, there is just no easy way to get around the work the TLS update may involve. But unlike EMV, the TLS switch is not voluntary. &nbsp;If merchants are not compliant, they will not be able to perform transactions, period.<\/p>\n<p>PSPs need to explain the mandatory aspect of this update, and remind merchants of the drop-dead date. After all, no one can afford to be cut off cold as of June 2018.<\/p>\n<p>By assisting your merchants in determining their vulnerabilities and beginning their migration plans, payment service providers can be an invaluable resource during this transition process.<\/p>\n<p><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The TLS switch deadline hits June 30, 2018. All applicable merchants must use TLS 1.1 encryption (as a minimum) by June 2018, or they won\u2019t be able to process any card transactions at all.&nbsp;PCI has drawn this line in the sand as an absolute necessity to ensure the protection of cardholder data. Because the TLS [&hellip;]<\/p>\n","protected":false},"author":244,"featured_media":27944,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[1],"tags":[227,205,218],"class_list":["post-27943","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-important-announcement","tag-best-practices","tag-industry-news","tag-security"],"_links":{"self":[{"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/posts\/27943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/users\/244"}],"replies":[{"embeddable":true,"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/comments?post=27943"}],"version-history":[{"count":1,"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/posts\/27943\/revisions"}],"predecessor-version":[{"id":31217,"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/posts\/27943\/revisions\/31217"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/media\/27944"}],"wp:attachment":[{"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/media?parent=27943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/categories?post=27943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/goebt.com\/wp-json\/wp\/v2\/tags?post=27943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}