Important PCI Changes that may affect your E-Commerce Application

UPDATE: 5/13/16:

We’ve just been informed that PayPal updated their notices yesterday (5/12/16) and are no longer targeting 6/17/16 as the deadline for migration to TLS 1.2 and have moved this out to June 2017. More information regarding PayPal can be found by clicking here. Additionally, UPS has now backed down from their previous date of 5/31/16 and will no longer be enforcing the 5/31 date but instead encourage clients to make the transition.  Details on UPS’s changes can be found by clicking here.  We’re pleased to learn our clients will have additional time to convert their sites away from the less secure SSL standards but encourage all clients that haven’t started to look for alternative solutions to start making plans promptly.   We’ll continue to monitor these changes in the industry and communicate any changes as we become aware of them.


 

A key element to ensuring E-Commerce transactions are secure is encryption of those transactions over the Internet. As computing technology gets faster and faster, or as new methods of weakening encryption are found – it becomes necessary to use stronger or more effective encryption methods over time. SSL encryption that was considered secure and unbreakable just a few years ago is now considered obsolete and easily compromised.

Under the latest version of the PCI Security Standards (3.1), all versions of ‘SSL’ have already been phased out for new implementations, and ‘TLS’ is now the encryption standard.  The industry is now moving towards phasing out early versions of TLS for both new and existing implementations.

The PCI requirement is that by June 2018 (this date was extended from June 2016), all merchants must be using a secure form of TLS (as defined by NIST). Currently this is TLS 1.1 or higher with TLS 1.2 as recommended implementation. It should be noted that these dates and versions can change if a new vulnerability is discovered that makes certain versions of TLS exploitable.

Although the PCI Security Standards Council has set a deadline for migrating to a secure version of TLS by June 2018, various 3rd party services may have their own deadlines and policies. For example, we are currently aware of the following:

  • Authorize.Net has announced that it will disable support for TLS 1.0 in early 2017, and is considering disabling support for TLS 1.1 at the same time (making TLS 1.2 the only supported version)
  • PayPal has announced that it will disable support for TLS 1.0 and 1.1 and will require TLS 1.2 on June 17, 2016.
  • UPS has announced that it will only support TLS 1.2 as of May 31, 2016.

Many of our customers host e-commerce enabled web sites built with ASP.NET.  Older versions of ASP.NET do not support the newer versions of TLS.  This means that you may need to upgrade your web application code or migrate to a different application in order to use the payment services above or any service requiring newer versions of TLS. In order to use TLS 1.2 your site needs to be running on ASP.NET 4.5.

If you are running AspDotNetStorefront, this requires an upgrade to version 9.5.x or later.

For sites built with PHP, PHP has supported TLS 1.2 for some time and should use this version by default once the early versions of TLS are disabled on the web server. You will want to test this well in advance of any deadlines to ensure no coding or other changes are needed however. PHP 5.6.x+ allows you to specify the TLS version within the code if necessary.

Applied Innovations is dedicated to providing secure hosting solutions and we support the latest encryption requirements – however depending on your current hosting platform you may need to migrate to a newer platform to take advantage of this. For example, earlier versions of Windows Server (2008 and below) do not support the later versions of TLS.

We recommend that you consult with a qualified developer or your application vendor and merchant service providers regarding these changes on how they might affect you. Please contact us if you need to upgrade your windows hosting services to support these new requirements so we can assist with selecting the right solution for your needs.

If your store runs a version of storefront.net  that is impacted by this change and you’d like an alternative solution that provides protection against this change as well as automated updates against future changes we hope to have an alternative solution announced in the next two weeks and encourage you to fill out the form below or visit this page: http://info.appliedi.net/tls-1.2-alternative-solution to be among the first notified.

If your store runs a version of aspdotnetstorefront that’s earlier than 9.5.2 and you’re worried you’re impacted by this change and would like to understand your options to move forward please fill out the form below and our team will be happy to help you.

References:

https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx

http://app.payment.authorize.net/e/es.aspx?s=986383348&e=1086337

https://devblog.paypal.com/upcoming-security-changes-notice/

https://secure.php.net/manual/en/migration56.openssl.php

https://www.ups.com/content/us/en/resources/techsupport/data-security.html

 

 

 

 

 

About the Author

Nathalie

Nathalie Vaiser, a senior member of the technical team at Applied Innovations, has close to 20 years’ experience in the server administration and IT security fields and holds various certifications including Microsoft certifications and CEH (Certified Ethical Hacker).