PCI, SSL and TLS can be confusing. Here are the basics about the upcoming shift in data security protocols.
Data hacking in the credit card processing chain is increasingly sophisticated and prompts consistent security updates. In December 2015 the Payment Card Industry Security Standards Council (PCI SSC) announced that the Transport Layer Security (TLS) 1.0 encryption methods for payment processing systems will expire June 30, 2018. As of July 1 2018, payment processing systems must be updated to TLS 1.1 or higher to comply with PCI standards. TLS 1.1 is acceptable but 1.2 is strongly encouraged. It applies to POS systems, gateways, servers and all other internet-reliant data channels.
The Internet Engineering Task Force (IETF) spells out the details of TLS, a security protocol that encrypts data passed between web browsers. Its objective is to ensure data privacy and incorruptibility as it moves over the internet so that unwanted parties can’t access it. TLS originated from the Secure Socket Layer (SSL) 3.0 protocol and eventually replaced SSL because it’s more secure. A “TLS Handshake” between servers and clients, or between servers and servers, confirms the identity of both parties and creates unique keys to encrypt and decrypt the data transferred between them, distinguishing TLS as the gold standard in web security protocols. TLS applies to the transfer of any sensitive information—healthcare details, emails, payment information, etc.—so it’s used by a variety of entities, not just the payments industry.
Migration to the newer TLS protocols has been a priority for businesses well before the deadline. Last minute updates are risky since outdated models will be disabled July 1. The inability to process transactions will pause business activity—resulting in lost revenue, lost customers and lost credibility—until the system is updated. We have worked with our merchants to ensure seamless system updates. Give us a call today to learn more about the TLS update and our merchant services.