Day: June 11, 2018

SSL/early TSL will need to be disabled by 30th of June, 2018. Every business will need to implement a far more secure encryption protocol if they wish to comply with PCI Data Security Standard (PCI DSS). Whether you process your own customers’ or clients’ payments or you work with other businesses and partners who process online payments, migration from SSL/early TLS to TLS 1.1 or 1.2 and above is a crucial necessity. PCI compliance is a necessity if you offer any kind of payment transactions on your website. For instance, if you run an online store and people enter their card details to purchase a product or service, PCI DSS-compliance is an absolute necessity. In this article, let us take a look at what SSL/early TLS are, what you need to do to comply with the new regulations, and how it is going to benefit you in the long term, with a few use cases placed in context. What is the problem with existing PCI DSS compliance protocols? Back in the 1990s, Netscape developed the Secure Sockets Layer (SSL) to keep information and data confidential and secure, while being shared between two different systems. Transport Layer Security (TLS) is a closely-related cryptographic protocol that adds a layer of security to payment procedures. Using the latest versions of SSL and TSL was an absolute necessity to display the certificate of being PCI DSS-compliant. PCI DSS-compliance certificate assures web shoppers and users that their credit card information will remain safe and that their financial data will not be put at risk. Unfortunately, SSL and early TLS have a number of vulnerabilities that put organizations, users, and customers at risk of various kinds of threats.  Many hackers and malicious entities have used loopholes within SSL and early TLS to compromise security and financial data privacy. Currently, fixes and patches cannot repair or fix these SSL and early TLS vulnerabilities. In addition, hackers and attackers have grown more advanced, leaving all PCI DSS-compliant websites vulnerable and weak. To address and mitigate these vulnerabilities, PCI DSS compliance now requires you to migrate to more advanced and complex encryption protocols. If you can convincingly prove that the payment terminals (POIs) are not vulnerable to any known threats for SSL and early TLS, you may not need to migrate to newer encryption requirements. However, for every other platform and situation, you will have to migrate to the new requirements by 30th June, 2018. Hence, every eCommerce or online business using early TSL or SSL has no option but to adopt the new protocols and enforce them as soon as possible. Note: If you are planning to use RC4, MD5, and other unapproved algorithms to fix security issues, you will need to stop it immediately. These practices aren’t allowed under new regulations. Is this update only for PCI-compliant websites? The short answer is, no. If you allow transactions to go through your website, you will need to update to newer protocols as soon as possible. Even if you have not applied for PCI certification and even if you have other methods to tell your users that you offer secure transaction environments, you will need to update from current SSL/TLS versions. What you need to do immediately If you are not PCI-compliant, and you don’t wish to seek the certification, you still need to upgrade to the latest encryption protocols in order to beat the weaknesses of existing SSL and TLS versions. Conduct a website audit and make sure that existing threats are addressed. To address the vulnerabilities within SSL and early TLS, you have to migrate to at least TLS 1.1. However, TLS 1.2 or above is strongly recommended as other versions simply do not have the ability to thwart threats. If your clients or partners run websites, you will have to urge them to immediately update to TLS 1.2 as well, as directly or indirectly you will be responsible for any security breaches that may occur. Do not forget that GDPR has already rolled out, and financial information comes under personal identification data too. Make sure that there are no implementation vulnerabilities such as the numerous ones we find in OpenSSL. Always ensure that patches are up-to-date and you already with countermeasures to address security threats. It is important to quickly migrate from OpenSSL to TLS 1.2 or more, in order to keep yourself, your customers, and your clients safe from hackers and attackers. If you are configuring TLS yourself, make sure that you do it securely. You will need to make sure that secure TLS cipher suites are supported and that unwanted cipher suites are disabled. In short, whatever is not required for interoperability, disable them. You will also need to make sure that key sizes are supported too. PCI SSC website has a lot of information regarding SSL and early TLS migration. You can visit their website for more guidance. If you do not want to risk migrating from SSL/early TLS to TLS 1.2, consider partnering with an external agency. External vendors not only have the time but also resources and technical expertise to ensure that all your websites migrate to the latest version of TLS without any errors. Most importantly, you can rest assured that during or after migration, your customers will never notice any downtime or inaccessibility to the websites.Tell us if you are struggling. How We Can Help? Stop Unwanted Calls Problem: An eCommerce business noticed that some customers started to receive unwanted calls from suspicious entities. Hackers were able to sneak in through vulnerabilities in SSL during checkout. This helped them to extract personally identifiable information of customers, which they used not only to make calls but also potentially for more malicious purposes. Solution: We helped the business to smoothly migrate to TLS 1.2, without causing any difficulties or downtime for their website operations. Get the ERP Right Problem: A large multi-national company that deals with cloud ERP has several eCommerce clients across the world. It wondered if the payment