TLS 1.0 Impact on MSPs and Merchants

Merchants and merchant services providers have a responsibility to do everything within our power to ensure that the transactions on our websites, restaurants and storefronts are secure. While we’re engaged in an ever evolving battle against hackers, there are hardened practices designed to reduce our risks - to secure cardholder data and personally identifiable information and prevent it from being stolen or misused.

As attacks and hackers become increasingly more sophisticated, PCI and industry standards have been evolving rapidly to better protect cardholder data. The Payment Card Industry Data Security Standards (PCI DSS) provides a framework for merchants and merchant services providers to secure sensitive cardholder data in payment processing.

emv.pngPerhaps the most prominent example over the past 14 months has been the introduction of chip-enabled cards in the US, a mechanism demonstrated across the globe to dramatically drive down card present fraud. Today, 70% of Cayan’s merchants’ transactions are conducted using chip cards, while only 30% use traditional magnetic stripe cards, a trend we only see accelerating.

While the introduction of chip-enabled cards was certainly a customer-visible change, a number of less consumer-visible changes have happened behind the scenes. In the two most recent versions of its security standards, the PCI Software Security Council has enacted a moratorium on legacy encryption protocols, such as SSL and SHA, no longer considering them to be strong cryptographic protocols.

In its latest standards document, the PCI SSC has added TLS 1.0 to the list, and provides guidance for merchants and merchant services providers to adopt newer versions of the TLS cryptographic standard. In the PCI 3.2 standard, the PCI SSC has mandated that by June 2018, merchants and MSPs must migrate to more secure protocols, but waiting is not recommended. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.

timeline.png

In total, the new PCI standard mandates that:
 
  1. All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers - must provide a TLS 1.1 or greater service offering by June 2016. 
  2. Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater. TLS 1.2 is recommended.
  3. All entities must cutover to use only a secure version of TLS effective 30 June 2018
tls-usage.pngCayan expects the deprecation of TLS 1.0 to be as disruptive to merchants and MSPs as EMV or SHA were. Presently, over 60% of Cayan’s merchants are securing their transactions using TLS 1.0, and Cayan believes that its merchants and POS ISV partners are not unique in this regard. Over the next 17 months, everyone from merchants, MSPs, and POS vendors will need to join in a concerted effort to upgrade and reprogram payment terminals and harden their Points of Sale - many of which are running legacy operating systems, such as Windows POSReady 2009, which will never be updated to support newer encryption protocols.

Cayan welcomes PCI’s proactive and comprehensive approach to protecting cardholders and merchants from fraud and data breaches, and is committed to working with our partners, ISVs, and merchants to ensure that your transactions remain secure. We’ll soon be launching an outreach campaign to drive TLS 1.0 usage down to zero, in a way that’s minimally impactful to our partners and customers.

Cayan as always is committed to reducing PCI scope and associated fees for its merchants. As part of that commitment, we’ve certified Genius to the PA-DSS 3.2 standard, and are in the process of certifying Genius against the rigorous P2PE 2.0 standard, further safeguarding your transactions.

For more information on the PCI 3.2 requirement to sunset early TLS, please see the following: