TLS 1.0: 3rd party encryption libraries that can save you time and money

A few weeks ago, I had the pleasure of talking with Kate Fitzgerald at PaymentsSource about the state of security in the payments world. The fact is, plenty of U.S. merchants still working to complete their migration to EMV now have another high-pressure technology hurdle to worry about: Most are still using a transaction security protocol set to expire in the next 11 months and if they don’t take appropriate action they’ll be unable to process transactions in July 2018.
Most merchants are still relying on the 1.0 version of the payment encryption method known as Transport Layer Security (TLS), but due to weaknesses in the encryption algorithm, that the Payment Card Industry is withdrawing support for TLS 1.0 on June 30, 2018, and payment processors, acquirers, merchant service providers, and payment gateways will follow suit immediately. Some have already begun disabling the legacy encryption protocol in advance of the PCI deadline.
Switching to one of two more recent supported versions of the encryption protocol—either TLS 1.1 or TLS 1.2—should be relatively simple. Newer versions of Microsoft Windows and other operating systems come with support for TLS 1.1 & 1.2 out of the box, and your POS would likely “just work” if it were running on one of these new operating systems. But many merchants are held back by their use of older computer hardware and Windows operating systems prior to Windows 7. To give you a sense of magnitude, presently, over 50% of Cayan’s transactions use the TLS 1.0 encryption protocol – a figure we’re working tirelessly with our merchants and ISVs to reduce. But we don’t think that our merchants are outliers in this regard – it’s likely that they represent a faithful cross-section of the merchant community. Clearly, there’s a lot of work to be done in the next 11 months.
If you’re a merchant or QIR, the thought of having to upgrade that many workstations can be daunting. Updating older Windows operating systems is never straightforward, and besides any license fees you’d pay to Microsoft, a merchant may also need to upgrade their POS hardware (i.e. CPU, RAM, hard drive) to support a newer version of Windows. The logistical and budgetary implications of upgrading legacy software and hardware can be considerable, easily running into hundreds or thousands of dollars per lane.
Fortunately, even if the your Point of Sale’s operating system doesn't support TLS 1.2 (eg. Windows POSReady 2009 or Vista), there's still hope. There are a number of 3rd party TLS libraries that a POS developer might employ in their solution so that their software can support TLS 1.2, without requiring merchants to go through expensive hardware & operating system upgrades. Using this approach, Cayan was able to enhance its Store & Forward product to support TLS 1.2 on Windows POSReady 2009, with only a few days' effort and at a relatively modest licensing cost. This would in many cases allow a merchant to “just” upgrade their POS Software, without having to upgrade Windows or their POS hardware.

Because Cayan's APIs are all SOAP-based HTTPs web services, using one of these products could present a relatively quick & inexpensive path for our ISVs to come into PCI compliance. All of the frameworks listed below let you swap out your platform's native components with equivalent HTTPs, RESTful, and SOAP components that support TLS 1.2.

Without making any endorsement or claims of fitness, below are several libraries that a POS developer might consider using in their solution to add support for TLS 1.2 in legacy environments: For more insights on how a developer can be prepared for the upcoming TLS 1.0 deadline, please visit Cayan’s TLS Help Center.