To All Prospay Inc. Merchants
As you may be aware, new PCI DSS requirements state that all payment systems must disable early-version TLS by 2018. Transport Layer Security (TLS) is a technology used to encrypt sensitive information sent via the Internet. TLS is the replacement for Secure Sockets Layer (SSL).
If you have a website that accepts online payments, this also affects you.
The PCI Security Standards Council is requiring all payment processors and merchants to move to TLS 1.2 and above by June 30, 2018. “But that’s almost a year away,” you’re saying; “why should I care now?” Well, PCI recommends switching as soon as possible, and several major payment gateways are heeding this advice. PayPal and Braintree are already requiring TLS 1.2 since June 30, 2017, and disabling all older protocols (SSL v3, TLS 1.0, and TLS 1.1). Authorize.Net disabled everything below TLS 1.2 on September 18, 2017.
In the short term, your immediate concern is probably to ensure your website doesn’t break when your payment processor stops supporting the older protocols. Each payment provider’s sandbox environment already has the new protocols in place, which can be used to verify compliance.
But longer term, your own website needs to be compatible too: If you accept SSLv3 or TLS 1.0 connections beyond June 2018, your site will not be PCI-compliant. You may have experienced your PCI Approved Scanning Vendor (ASV) scan already flagging your server for supporting the old protocols; the original deadline was June 2016. Right now you can get away with that given the right documentation, but you won’t be able to forever.
One of the primary reasons to delay (and the reason the original PCI deadline was pushed back) was that TLS 1.1 and 1.2 are not supported by default on Internet Explorer 10 or below. IE 8-10 are capable of supporting TLS 1.1 and 1.2, on some operating systems, but the feature must be manually enabled. Turning off TLS 1.0 on your server will mean any users whose browsers do not support the new protocols will be unable to access “https://” pages on your website. Instead, they will receive an error message: “Internet Explorer cannot display the webpage.” With usage of those older versions quickly dwindling, this is becoming less of a concern. Check your website analytics data to see how much of your traffic would be affected.
The situation amounts to this:
If your server does not support TLS 1.2 by June 30, 2017, you may not be able to process payments.
If your server still accepts TLS 1.0 on June 30, 2018, you will not be PCI-compliant.