What You Need to Know about the POODLE Security Vulnerability

On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. A vulnerability in version 3 (SSL 3.0) has been recently discovered by Google researchers which could allow the traffic to be decrypted in certain situations, This vulnerability, dubbed "POODLE", allows an attacker to read information encrypted with this version of the protocol in plain text. The POODLE attack allows for what’s called a “man in the middle” attack, which allows a potentially hostile actor to intercept sensitive data, such as payment and cardholder info.

SSL 3.0 is a security protocol that has been around for nearly two decades. Although SSL 3.0 is an older, outdated protocol that's been replaced by more secure alternatives, many pieces of software will fall back on SSL 3.0 if better encryption options are not available. SSL 3.0 has since been upgraded and replaced by a more secure protocol known as TLS, but websites and web browsers have been slow to adopt and deprecate the outdated protocol.

Microsoft recently announced it will be working to disable SSL 3.0 by default in Internet Explorer (IE) and Microsoft online services during the coming months. "If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today," Tracey Pretorius, director of communications for Microsoft's Security Response Center, blogged. "IE 11 is our latest and most secure browser and customers who upgrade will continue to benefit from additional security features."

As a user, the easiest way to protect yourself from POODLE is to turn off support for SSL 3.0 in your browser. For most users, this fix involves getting into your browser’s settings menu, disabling SSL 3.0, and enabling the TLS protocol.

The Payment Card Industry standards requires that Merchant Warehouse, our partners, and our merchants all share a joint responsibility in keeping cardholders’ data private and secure. In order to meet those standards, we must sometimes take drastic – but necessary – steps to keep our customers safe.

Since many partners and merchants rely on SSL 3.0 to connect to Merchant Warehouse, we haven't immediately turned it off. This predominantly affects our partners and merchants that are using Internet Explorer 6, Windows XP, or Windows Server 2003. To help mitigate risk associated with this vulnerability, we're urging our partners and merchants to disable SSL 3.0 as soon as possible, as Merchant Warehouse will be discontinuing support for SSL 3.0 before the end of 2014. We also strongly urge merchants to upgrade to newer versions of Windows and Internet Explorer at their earliest possible opportunity. Windows XP and IE 6 are no longer receiving security updates, and are thus no longer PCI compliant. Not taking these necessary steps may cause compatibility problems resulting in the inability for customers to pay with Merchant Warehouse on your site or Point of Sale.

Thank you for your prompt attention to this issue and understanding of our approach. Though we recognize this necessary step may cause compatibility issues, we can't stress enough that this short-term inconvenience is heavily outweighed by our promise to our customers that we will keep their financial details safe. We plan to keep our customers up to date on how we are addressing this issue via the appropriate channels. We appreciate your patience and understanding as we work around the clock to better serve you and keep you and your customers’ data safe.