back
Get Your Act Together and Migrate from SSL/Early TLS before the June 30th Deadline
Data Security Digital Payment E-commerce Technology

Get Your Act Together and Migrate from SSL/Early TLS before the June 30th Deadline

By Syed Zainul Haque June 11, 2018 - 2,303 views

SSL/early TSL will need to be disabled by 30th of June, 2018. Every business will need to implement a far more secure encryption protocol if they wish to comply with PCI Data Security Standard (PCI DSS). Whether you process your own customers’ or clients’ payments or you work with other businesses and partners who process online payments, migration from SSL/early TLS to TLS 1.1 or 1.2 and above is a crucial necessity.

PCI compliance is a necessity if you offer any kind of payment transactions on your website. For instance, if you run an online store and people enter their card details to purchase a product or service, PCI DSS-compliance is an absolute necessity.

In this article, let us take a look at what SSL/early TLS are, what you need to do to comply with the new regulations, and how it is going to benefit you in the long term, with a few use cases placed in context.

What is the problem with existing PCI DSS compliance protocols?

Back in the 1990s, Netscape developed the Secure Sockets Layer (SSL) to keep information and data confidential and secure, while being shared between two different systems. Transport Layer Security (TLS) is a closely-related cryptographic protocol that adds a layer of security to payment procedures. Using the latest versions of SSL and TSL was an absolute necessity to display the certificate of being PCI DSS-compliant. PCI DSS-compliance certificate assures web shoppers and users that their credit card information will remain safe and that their financial data will not be put at risk.

Unfortunately, SSL and early TLS have a number of vulnerabilities that put organizations, users, and customers at risk of various kinds of threats.  Many hackers and malicious entities have used loopholes within SSL and early TLS to compromise security and financial data privacy. Currently, fixes and patches cannot repair or fix these SSL and early TLS vulnerabilities. In addition, hackers and attackers have grown more advanced, leaving all PCI DSS-compliant websites vulnerable and weak. To address and mitigate these vulnerabilities, PCI DSS compliance now requires you to migrate to more advanced and complex encryption protocols.

If you can convincingly prove that the payment terminals (POIs) are not vulnerable to any known threats for SSL and early TLS, you may not need to migrate to newer encryption requirements. However, for every other platform and situation, you will have to migrate to the new requirements by 30th June, 2018. Hence, every eCommerce or online business using early TSL or SSL has no option but to adopt the new protocols and enforce them as soon as possible.

Note: If you are planning to use RC4, MD5, and other unapproved algorithms to fix security issues, you will need to stop it immediately. These practices aren’t allowed under new regulations.

Is this update only for PCI-compliant websites?

The short answer is, no. If you allow transactions to go through your website, you will need to update to newer protocols as soon as possible. Even if you have not applied for PCI certification and even if you have other methods to tell your users that you offer secure transaction environments, you will need to update from current SSL/TLS versions.

What you need to do immediately

  • If you are not PCI-compliant, and you don’t wish to seek the certification, you still need to upgrade to the latest encryption protocols in order to beat the weaknesses of existing SSL and TLS versions.
  • Conduct a website audit and make sure that existing threats are addressed. To address the vulnerabilities within SSL and early TLS, you have to migrate to at least TLS 1.1. However, TLS 1.2 or above is strongly recommended as other versions simply do not have the ability to thwart threats.
  • If your clients or partners run websites, you will have to urge them to immediately update to TLS 1.2 as well, as directly or indirectly you will be responsible for any security breaches that may occur. Do not forget that GDPR has already rolled out, and financial information comes under personal identification data too.
  • Make sure that there are no implementation vulnerabilities such as the numerous ones we find in OpenSSL. Always ensure that patches are up-to-date and you already with countermeasures to address security threats. It is important to quickly migrate from OpenSSL to TLS 1.2 or more, in order to keep yourself, your customers, and your clients safe from hackers and attackers.
  • If you are configuring TLS yourself, make sure that you do it securely. You will need to make sure that secure TLS cipher suites are supported and that unwanted cipher suites are disabled. In short, whatever is not required for interoperability, disable them. You will also need to make sure that key sizes are supported too. PCI SSC website has a lot of information regarding SSL and early TLS migration. You can visit their website for more guidance.
  • If you do not want to risk migrating from SSL/early TLS to TLS 1.2, consider partnering with an external agency. External vendors not only have the time but also resources and technical expertise to ensure that all your websites migrate to the latest version of TLS without any errors. Most importantly, you can rest assured that during or after migration, your customers will never notice any downtime or inaccessibility to the websites.Tell us if you are struggling.

How We Can Help?

  1. Stop Unwanted Calls

Problem: An eCommerce business noticed that some customers started to receive unwanted calls from suspicious entities. Hackers were able to sneak in through vulnerabilities in SSL during checkout. This helped them to extract personally identifiable information of customers, which they used not only to make calls but also potentially for more malicious purposes.

Solution: We helped the business to smoothly migrate to TLS 1.2, without causing any difficulties or downtime for their website operations.

  1. Get the ERP Right

Problem: A large multi-national company that deals with cloud ERP has several eCommerce clients across the world. It wondered if the payment management sub-module in inventory management module had to be fixed. Vulnerabilities within inventory management module can affect not only the cloud ERP service provider but also to its eCommerce clients and their end-users.

Solution: We helped the cloud ERP developer to migrate to the latest TLS version, which helped them to protect their clients and clients’ customers.

  1. Improve Website Speed and Loading Time

Situation: An online B2B entity faced difficulties during SSL/early TLS migration. It was unable to render its website functional post-migration. There were issues with the libraries and coding flaws which created issues on the website. We fixed the errors and migrated to TLS 1.2 all over again.

Solution: We fixed the errors and migrated to TLS 1.2 all over again. The client was also able to issue its own clients that its website was now PCI-compliant and that payment transaction could be done safely and securely.

While you can do this yourself, you may find it problematic to ensure that your website and application remains functional during and after migration. If you wish to keep your business operations smooth and comply with the new encryption protocols as soon as possible, do not hesitate to contact us today. We will help you migrate your website and application to the latest TLS version without any frictions or hitches.

 

Page Scrolled