In order to maintain your PCI DSS compliance, you will need to upgrade to the TLS v1.2 security protocol by June 30th 2016.
As the landscape of online security changes, PCI DSS standards are changed and updated to counter exploited risks and ensure both businesses and end users are secure online.
Staying Secure with PCI DSS Compliance
Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard that ensures the exchange of personal information is protected through proper security during credit card transactions online. PCI DSS has been the security standard for ecommerce companies for a while now – and is necessary for businesses to accept payments with Visa, MasterCard and American Express as they require you to comply with specific security standards.
Without PCI compliance, your business risks falling victim to credit card fraud – which means a loss of revenue, fines, funding forensic investigations, reclassifying your merchant status, and a loss of trust from your customers.
SSL and TLS Protocols
SSL (Secure Sockets Layer) remains one of the most widely used encryption protocols for securing data. SSL was superseded by TLS (Transport Layer Security), a security protocol standard which ensures privacy between communicating applications – typically between the website and the end user during transactions online.
Users can identify websites which are secured with SSL and TLS through Hypertext Transfer Protocol Secure (HTTPS) as the website will display a padlock icon in the URL window. This shows the site is secure for online shopping.
The TLS protocol encrypts the data to ensure sensitive data and private customer information is exchanged safely and securely. Security measures are always evolving and improving with new versions of TLS, which are released to provide more security for end users and businesses.
SSL 3.0 was superseded by TLS v1.0 15 years ago, which was then superseded with TLS v1.1 and v1.2. Now, SSL and early TLS versions no longer meet the minimum standard as security vulnerabilities have been found in those early protocols.
TLS v1.0 is being phased out, and TLS v1.2 is currently the most up-to-date and secure of all options.
Why upgrade to TLS v1.2
The PCI Security Council has declared that the protocol used must be upgraded to a secure alternative – and that it is not possible to fall back to SSL and early versions of TLS.
You will need to ensure that your website uses TLS v1.2 protocol by June 30th 2016 to remain PCI DSS compliant. In addition, you will have to make sure that early SSL and TLS protocols are disabled by June 2018.
UPDATE: PCI DSS Version 3.2 Released 28th April 2016
The latest version of PCI DSS was released on the 28th of April 2016, with the current version of 3.1 being retired on the 31st of October 2016. The new version includes:
Multi-factor authentication
This requires multiple forms of credentials to authorise access to data and systems.
Designated Entities Supplemental Validation
This update involves implementing alerts for failures in security, scoping of the cardholder data environment (CDE), and effective oversight of compliance.
Service Provider Requirements
This includes documenting cryptographic architecture, and for executive management to take full responsibility for protecting cardholder data.
Xanthos works with PCI DSS compliant ecommerce software and hosting partners – so if you’re looking to secure your online business then get in touch today.