This post was originally published on June 19th, 2017 but was updated with new information.
E-commerce security encryption changes: PCI mandate to retire TLS 1.0 and 1.1
As a service to all our customers -past, present, and future, we like to make sure you are ready for some important changes in the industry. TLS 1.0, this is an issue that is likely to affect many e-commerce businesses if they don’t take care of it before it becomes an issue. So what’s the problem? Internet encryption. If you have been on the web and have done any work on your site you are probably familiar with SSL (Secure Socket Layer). If you are in the e-commerce industry, you should remember that basic SSL became in many ways obsolete after a fundamental flaw was discovered in its core programming. This flaw made the previously powerful internet security tool all but useless for e-commerce depending on the application as it was no longer a secure method of encryption. Basic SSL support was discontinued after June 30th of 2016, forcing every reputable card processor and payment gateway to adopt TLS 1.0 or 1.1.
When is the official industry-wide TLS 1.0 or 1.1 deadline?
The PCI DSS (Payment Card Industry Data Security Standard) basic standards set by the major card companies and processors) has been modified again. Support for TLS 1.0 and 1.1 will be discontinued on June 30th of next year, 2018. This is NOT the same as Authorize.Net’s requirements. Please read below for those important dates. While this update might come across as part of a very annoying trend, remember that these standards are kept to ensure safe and secure transactions between you and your customers. Without this, fraud would be even more rampant than it is currently.
Authorize.Net’s earlier response to the TLS 1.0 1.1 mandate
In an effort to get ahead of the game and encourage others to do the same Authorize.Net had decided to push up the date when they stop supporting TLS 1.0 or 1.1 to September 18th of THIS YEAR, 2017. That meant if your business or e-commerce organization uses Authorize.Net as your payment gateway your cart system or in-house systems would have had to upgrade your server’s security to TLS 1.2 before then, luckily that is no longer the case.
New TLS upgrade cut off date from Authorize.Net
Authorize.Net has decided to extend their TLS 1.0 1.0 deadline from September 18, 2017, to February 28, 2018. Due to what can only be assumed was strong concern from merchants and SaaS providers Authorize.Net has decided to give everyone an additional 6 months. The reality is though, you should just get the upgrade over with as soon as possible. Think about it this way, if your car company recalls your car for a major defect that could easily threaten your life, it would be foolish not to bring your car in and fix that flaw. Most wouldn’t risk their life just because they like their current car as is. Well, the encryption of your website is just like your car, necessary to get information from point A to point B. When a security flaw is discovered, it’s a vulnerability that could lead to information being stolen or copied, like a credit card or account number. Fraudsters and hackers can use these vulnerabilities for their nefarious purposes, so the PCI DSS sets the standard for secure communication and storage of sensitive financial information.
What to do about Authorize.Net’s encryption changes
We would like to point out that this only affects e-commerce merchants who make transactions through Authorize.Net using a website, shopping cart, or other software that utilizes an API (Application Programming Interface). If you use Authorize.Net by way of Simple Checkout or the Merchant Interface you only need to ensure you are using a current version of a major browser (Chrome, Firefox, Safari, etc.) Also, if you use a major shopping cart like Wix, WooCommerce, Shopify, or BigCommerce they should handle this whole situation for you, just paper your files and confirm with them that your site is all set.
Going forward, if you have any questions or concerns feel free to contact us, whether you’re a client or not, and we would be happy to help in any way we can. Be sure to check our blog weekly for news, strategies, software spotlights, and tips for e-commerce businesses all over the industry. And, as always, if you are in a high-risk business like vape sales, FFL e-commerce, online cigar or alcohol sales or are simply having a hard time with e-commerce, please contact us for a payment gateway, chargeback reduction program, or merchant account recommendation anytime.