As of June 30, 2018, the PCI DSS required merchants to upgrade to the TLS 1.2 security protocol as part of PCI compliance. This article will cover TLS 1.2 requirements to help ensure you’ve successfully migrated to TLS 1.2.
What is TLS 1.2?
When the internet was created, people needed a secure way to exchange information over public networks. SSL, or Secure Sockets Layer, was a security protocol that was created to protect communication across the internet using cryptography. Over time, however, SSL developed vulnerabilities, and it evolved into TLS (Transport Layer Security). Likewise, TLS grew stronger over time, with versions 1.0, 1.1, and eventually 1.2. TLS 1.2 is the latest secure protocol, and it’s used to protect information as it travels over the internet.
Why is TLS 1.2 being required?
If you accept credit card payments, then you’re a part of the online ecosystem that must be protected against fraud and data breaches. As a merchant, you’re responsible for taking every necessary step to ensure your customers’ data is safe.
Unfortunately, the early versions of SSL and TLS 1.0 are now outdated, with several known vulnerabilities that put sensitive data at risk. If you’re a merchant using SSL or TLS 1.0, then you’re putting your customers’ credit card data in serious danger.
When SSL and TLS 1.0 were discovered to have weaknesses that exposed data to attacks, the PCI DSS revised their standards to end the use of these outdated protocols.
If you haven’t upgraded to TLS 1.2 yet, then you could be liable for fraud, attacks, or breaches that occur due to vulnerabilities in SSL and TLS 1.0.
What about TLS 1.1?
While SSL and TLS 1.0 are considered extremely insecure, TLS 1.1 is still a viable security protocol under the PCI DSS. That is, merchants have the option of migrating to TLS 1.1 instead of TLS 1.2. However, TLS 1.2 is stronger than TLS 1.1 and will better protect customer data. If you’re already making an upgrade, we highly recommend you choose TLS 1.2.
What are the TLS 1.2 requirements?
The newest version of the PCI DSS, version 3.1, includes several new requirements pertaining to TLS protocol. These requirements are:
- Requirement 2.2.3: Implement additional security features for any required services, protocols, or daemons considered insecure.
- Requirement 2.3: Encrypt all non-console administrative access using strong cryptography.
- Requirement 4.1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
Essentially, these requirements mean merchants must upgrade to TLS 1.2.
How do I make sure I’m following the TLS 1.2 requirements?
To adhere to these requirements, merchants must take several steps.
First, merchants should decide to migrate to TLS 1.2 instead of TLS 1.1.
Second, they must ensure their systems are compliant with TLS 1.2. These systems include:
- Web servers
- eCommerce platforms
- Point of sale terminals
- Payment gateway
- And more
Every merchant has a unique payment processing environment. It’s up to each merchant to investigate each piece of that environment and make sure it’s TLS 1.2-compliant.
Third, merchants must ensure that they’ve disabled or disallowed previous versions of TLS. For example, if you’ve updated your web server to TLS 1.2, make sure it doesn’t allow communication via TLS 1.0. Blocking these earlier versions ensures that your processing systems are protected without allowing older, more vulnerable protocols to slip through the cracks.
Fourth, merchants must continue to monitor the state of TLS and implement any new updates or versions. Unfortunately, cybersecurity can’t be solved with a single upgrade. Staying up to date and fully PCI compliant requires constant vigilance and a future-ready mindset.
While the migration to TLS 1.2 may be a pain, and the requirements themselves may be confusing, it’s imperative for merchants to understand TLS 1.2 requirements and effectively implement them into their payment processing environments. In the long run, making the upgrade to TLS 1.2 will better protect merchants, their customers, and their sensitive data.