TLS 1.2 - Everything You Need to Know

TLS 1.2 – Everything You Need to Know

If you run a website that accepts online payment, you are going to want to keep reading this.

Back in 2017, the PCI Security Standards Council mandated that all payment processors and merchants should move to TLS 1.2 and above. The deadline for this is June 30, 2018.

So what does that mean for you? If you don’t update to the latest security protocols you run the risk that your payment gateway will stop working. Already many systems such as PayPal, Stripe, Braintree, Authorize.Net and others have made the switch. If you use one of these services, you are probably alright, but there are other factors to consider, which we’ll discuss later.

Technology is constantly evolving but then so are the skills of hackers. This is why it’s critically important for business to understand web encryption and how to keep your data and online businesses safe.

Let’s dive a little deeper into the issue by answering some of the most frequently asked questions.

What Is TLS?

Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. TLS is the successor to the Secure Sockets Layer (SSL) and is the most widely deployed security protocol. TLS is used for Web browsers and other applications that require data to be securely exchanged over a network, such as ecommerce payment gateways, file transfers, VPN connections, instant messaging and voice over IP.

Basically what TLS does is ensure that no one is able to intercept or alter the communication between applications. It allows you to buy that new coffee machine on takealot or make a secure payment via your bank account online, safely and securely.

Why Do We Need TLS 1.2?

Due to high profile attacks such as Beast, Crime, Heartbleed and Poodle, PCI Security Council has instructed vendors to transition to TLS 1.2 and completely end support of the older, less secure protocols by June 30, 2018. The PCI Security Council has stated, “The vulnerabilities within SSL and early TLS are serious and left unaddressed put organizations at risk of being breached.”

Because of these known risks, most payment technology vendors have become more aggressive in their implementation timeframes and many have already deprecated the older protocols. Services such as PayPal, Authorize.net, Stripe, UPS, FedEx, and many others already support TLS1.2, and have announced that they will eventually refuse TLS 1.0 connections.

Time is running out so if you have not upgraded to TLS 1.2 already, you should do it now to avoid disruption later.

Does My Organization Need To Use TLS/SSL?

Your organisation’s activities will determine whether you need to use TLS/SSL. Any organisation that processes payments or is involved with health services is required by legislation to use security protocols such as TLS/SSL to encrypt network communications.

For other organisations, it’s just a good idea. Even if you run a blog and have a list of subscribers you want to keep their details safe. In 2014, Google introduced HTTPS (HTTP with SSL/TLS) as a lightweight SEO ranking signal. Using SSL/HTTPS makes your website look more trustworthy to visitors and could help boost your rankings, it’s a win-win.

You might want to read up on Protection of Personal Information Act and the Electronic Communications and Transactions Act to find out how these affect your business.

What Happens If I Don’t Upgrade To Tls 1.2?

By using older, less secure protocols you are putting your customer’s data at risk. If you are not compliant with the latest PCI Security Standards, a data breach may result in fines or even the termination of services that enable payments.

Ultimately, if you have not made the switch to TLS 1.2 by the deadline you run the risk that payment processing, shipping rates, or other real-time data will stop working.

How Can I Tell If My Site Is Vulnerable?

You are most likely protected if you are using a hosted solution for your ecommerce platform. However, if you use a third party for a custom-built solution, you should verify that you are protected with the vendor of your hosting solution.

You can test your TLS at SSL Labs by Qualys. The website is a little slow but, runs a battery of tests to gives you a good indication of how secure your website is.

Isn’t Updating My SSL Certificate Good Enough?

The SSL certificate is only half of the connection. The SSL certificate handles incoming traffic to your web server, but will not protect any calls your web server is making to other services, such as banks or payment gateways.

What Can I Do To Ensure My Site Is Compliant?

This is a difficult question to answer since every organization’s setup is so unique. You can contact us and we’ll implement a solution for you or speak to your hosting provider or IT manager to ensure that your IIS, Internet Information Service, Web Server, .NET Framework or eCommerce Application connections and platforms are compliant with TLS 1.2.

Where Can I Find More Information About TLS?

The internet is full of resources that you can and should read to ensure you are prepared for TLS compliance.

Here are a couple of resources to get you started:

PCI Data Security Standard (PCI DSS)
How SSL and TLS works
Video: SSL TLS TTPS Process Explained in 7 Minutes

Conclusion

It’s always best to be proactive with security, keeping your company and customers safe is the best way to build meaningful long-term relationships. Plus, the cost of cleaning up as security breach far outweighs the expense of ensuring that your security is always compliant with the latest standards.

Security is just as important as any other part of an excellent customer experience. So don’t let your customers down, update to TLS 1.2 today.