Do any of your merchants still rely on systems or applications that are not using the latest encryption security protocols? Per the PCI DSS, all entities must have ceased use of SSL/early TLS as a security control, and use only secure versions of the protocol, after June 30, 2018. SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. Entities are required to upgrade to a secure alternative and disable any fallback to both SSL and early TLS.
Prior to the June 30, 2018 date, any organizations with existing implementations of SSL or early versions of TLS are required to have a formal Risk Mitigation and Migration Plan (RMMP) in place. If your organization has been performing the required vulnerability scans, the scans should have been resulting in a FAIL if a system was found to be using these insecure protocols. You would then use your RRMP to detail plans for migrating to a secure protocol and outline the controls put in place for reducing the risk associated with SSL/early TLS until that migration is complete. The RMMP is used as documentation for passing the failed vulnerability scans, and may also need to be provided to your assessor as part of your PCI DSS attestation process.
However, the timeframe for just having a plan is drawing to a close and the deadline to have fully migrated is not just going to affect your PCI compliance status. Many acquirers and payment gateways are ONLY going to support TLS 1.2, which means if you have not modified your systems (or verified your services providers have updated theirs), the risk of your merchants not be able to process payments is significant. It is our strong recommendation that you make the appropriate changes well before the deadline. Remediation efforts may take a while and waiting to the last minute means you will be part of the mad scramble to get everything completed, tested, and rolled out by the due date.
You should also be aware that some acquirers and payment gateways are not waiting until the June 30, 2018 deadline and have set their own compliance dates for merchants to cease use of SSL/early TLS. Last fall, we saw some acquirers take the stance that no new merchants with TLS older than 1.2 would be on-boarded or given the ability to accept payments. We have also seen an acquirer refuse a gateway connection until an existing Point of Sale vendor supported TLS 1.2. All First Data “go forward” POS solutions had to have a TLS 1.2 download available by March 1, 2018. First Data has also been implementing service outages or periodic blackouts in which some merchants are not able to process transactions if they are using insecure protocols. This is considered a courtesy alert to customers that they will lose processing services permanently if they have not upgraded to TLS 1.2 by April 15, 2018.
If you are unsure of your acquirer’s requirements or you are unsure if you have disabled SSL/early TLS everywhere, you cannot put this off any longer. We recently had a university customer run vulnerability scans on all of their SAQ A e-commerce websites as an information security best practice, and the scans revealed that one of their third-party service providers had not migrated to TLS 1.2. If this had not been discovered now, this could have created a massive headache once the deadline was reached.
One other suggestion is that you may want to make your merchants and their customer service teams aware of this change. If any of their customers are using outdated web browsers, they may not be able to pay online once SSL/early TLS are disabled. It may be helpful to have your e-commerce sites create a pop-up message advertising what action will be needed in order to complete an order.
Don’t procrastinate. This deadline is not one that is going to come and go without noticeable consequences. If you have questions about how to migrate your systems or how to test to ensure all systems have been upgraded, please contact us.
Some additional guidance from Security Advisor team below:
[Wheeler]: Discontinuing the use of SSL and early TLS is the only remediation for some of the inherent flaws that have been discovered in the protocols in recent years. The PCI Council has previously granted an extension to this migration deadline, but it seems that no additional extension is on the horizon. Now is the time to take the leap and update to TLSv1.2 (or in certain cases, secure implementations of TLSv1.1).
Keep in mind that your help desk personnel may need to be aware of these upgrades, in case there is an uptick in calls regarding users having issues accessing payment pages after the upgrade. It could be very likely that they are using an older browser or operating system that doesn’t have the ability to use TLSv1.2 (or has it disabled by default). Testing should be started immediately to head off any issues after the “drop dead” date.