Merchants need to start planning TLS migration

Merchants using SSL encryption to protect transactions will soon have to upgrade to TLS -- but not all payment vendors are ready.

"From our experience, it seems to be 60-40," said Don Brooks, senior security engineer at Chicago-based Trustwave Holdings, Inc., which provides PCI compliance services. "Sixty percent have it, 40 percent don't."

SSL, or secure sockets layer, has been ground zero for a series of recent vulnerabilities.

As a result, the National Institute for Standards and Technology released guidance last year requiring all federal agencies to upgrade to a successor standard, TLS 1.2.

In February, the Payment Card Industry Securities Standards Council followed up on the NIST recommendation in a bulletin.

"The National Institute of Standards and Technology has identified the Secure Socket Layer v3.0 protocol as no longer being acceptable for protection of data due to inherent weaknesses," the Council said. "Because of these weaknesses, no version of SSL meets PCI SSC's definition of 'strong cryptography.'"

In the bulletin, the Council promised an update to its Data Security Standard. That update is due out this month, said Brooks.

However, while the update will be effective immediately, the Council promised that the "requirements will be future-dated to allow organizations time to implement the changes."

"The PCI Council knows that they can't wave a magic wand and fix it over night," Brooks said. "We don't know yet when the deadline date will be, but it's logical that it would be to the end of the year."

According to the SSL Pulse service of the Trustworthy Internet Movement, about 45 percent of the world's top million websites still support SSL.

TLS, or transport layer security, evolved from SSL.

All modern browsers already support it.

"There are older browsers," Brooks added. "If you're running a Windows XP machine with no patches on it, TLS wasn't invented yet. But if you're running something modern, you should have no issues with it."

However, while TLS is not compatible with SSL, the certificates that websites get to secure their communications can work with either standard, Brooks said.

That makes it easier to upgrade.

"For e-commerce, it's a very simple switch that they make," he said. "For the vast majority of folks, they're not going to have to go out and reissue certificates like they had to do when the bugs first started coming out."

A bigger issues is that of merchants using third-party point of sale systems.

"A great many of these POS systems communicate with the banks and the processors using SSL," he said. "One of the things that our payment application group is doing is making sure that all our clients are looking at this issue and addressing this problem."

Tags softwareapplicationstrustwaveNational Institute of Standards and TechnologybecaNational Institute for Standards and Technology

Show Comments