On June 30th 2018 all businesses were supposed to have migrated to TLS 1.1 encryption or higher, otherwise they are at risk of relinquishing their ability to process credit card payments.
Sounds daunting I know. Saying that, I have just realised it is very presumptive of me to expect everyone to know what PCI stands for, let alone what the implications of non-compliance will be for your business now that the June 30th deadline has passed, so I should probably take a step back and explain that first…
PCI is the acronym for the ‘The Payment Card Industry,’ which is governed by the PCI Security Standards Council (PCISSC). This organisation in charge of administering a set of security standards designed to ensure that for any business that accepts, transmits or stores any cardholder data, regardless of size or number of transactions, they maintain a safe and secure environment at all times.
In order to achieve this level of security, I.T. departments must adopt a protocol called TLS (Transport Layer Security), which essentially provides the necessary privacy and data integrity between two digital devices (such as computers and phones) to communicate over the internet securely without the transmission being vulnerable to an outside audience. In fact, TLS is the most widely deployed security protocol used today, whether it be for making online payments, sending instant messages or exchanging files, I am 99.9% confident that your business is using it!
Right, so what does this have to do with me?
Well, the current version, TLS 1, which came into effect back into 1999, will no longer be recognised as a valid security control as of June 30th, because it has been deemed too far out-of-date—hackers have developed too many ways to exploit it. Therefore, every organisation which accepts, transmits or stores any cardholder data must upgrade to either of its predecessors, TLS 1.1 or TLS 1.2.
By not upgrading to TLS 1.1 or 1.2, you are putting your customers’ data at risk. The consequences of not being PCI complaint and suffering a data breach can include fines and the termination of your ability to process credit card transactions.
And now that the deadline has passed, the services on your website that require the use of TLS 1.1 or 1.2 will cease functioning, which means your payment processing, shipping rate, or other real-time data could also stop working if an imminent upgraded to TLS 1.1 or 1.2 is not addressed.
For those of you that may be struggling to remove all uses of SSL or early TLS in your environment; it is worth remembering that SSL and early TLS protocols can remain in use if they are not being used as a security control, although it is strongly recommended you still upgrade to ensure your systems architecture is as secure as possible.
And what happens if I am an EiB customer, what are the implications for us?
If your I.T. department force an upgrade to TLS 1.1 or 1.2 and mandate its usage, then all versions of our A La Carte software will no longer be able to connect to your Cubes until it is upgraded to EiB Analytics 2018.
Saying that, if your I.T. department allow you to remain on TLS 1.0/1.1, then A La Carte will still run fine, but in reality you are delaying the inevitable; that you’ll need to upgrade your PCI compliance at some point in the very near future, and in doing so will also be required to upgrade to EiB Analytics 2018 so that you’re both PCI and GDPR compliant.
So if you’d like to speak with us about all things PCI, then please contact us today and we can talk you through everything in further detail.