If your eCommerce website allows shoppers to use credit card for online transaction, vulnerabilities in SSL and Early TLS could allow disclosure of shopper’s data in wrong hands. Due to widespread use of online shopping, online security has become critically important element for eCommerce website owners and small merchants.
What is SSL/TLS?
In 1994, Netscape introduced SSL (Secure Socket Layer). After fifteen years, SSL v 3.0 was superseded by TLS 1.0 and TLS 1.1 and now TLS v 1.2. SSL/TLS are protocols that are used to secure the integrity and confidentiality of the data transmitted through insecure environment by providing client server authentication and encrypting the messages between the authenticated parties.
After the recent POODLE attack, it has been found that SSL and early TLS do not meet the security needs that implements strong cryptography to protect payment data over public or untrusted communication channels.
How big is the Risk?
Despite being exposed to security vulnerabilities, SSL still remains one of the most widely-used encryption protocols. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
PCI declared that time is up and we should bid goodbye to Secure Socket Layout (SSL) versions which has been in the market for 20 years now and has been considered as the most widely used encrypted protocol ever released.
What is most important is PCI has revised their original sunset date for SSL and early versions of TLS to 30 June, 2016. In any case, the Council has come to this conclusion and stated in PCI DSS v3.1 that SSL versions and early TLS are no longer a secure protocol and are not an example of strong cryptography.
What you need to do?
As a business owner, you need to ensure that your website and the server is hosted on TLs 1.2 and SSL support has been disabled. Online customers’ needs to feel that their online transactions are secured else they will never purchase their goods and services from the owner’s website that do not follow the latest PCI compliance.
The bottom line is that the organizations should act immediately to remove all support for SSL and TLS 1.1 to avoid any real threat to payment data security. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
Additionally, modern web browsers will begin prohibiting SSL and Early TLS connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol like TLS 1.2. If a cardholder is using a deprecated browser based on TLS 1.0, the payment page will not be displayed to him. Thus, it is essential for the card holder to upgrade his web browser to the current TLS v1.2
All Major Payment gateways like PayPal, UPS, Fedex, Authorize.net, etc. has sounded a warning bell on the security breach and have already upgraded to TLS v1.2 to avoid any disruption of service.
So, if you do not want to lose your valuable online customers, migrate to TLS v 1.2 immediately.