A PCI Security Deadline Could Halt Your Payment Card Processing or Draw Fines

As June expired, so too did a PCI security deadline, and the result for companies that haven’t met it could include steep fines or the inability to continue processing payment cards.

June 30 was the deadline set by the Payment Card Industry (PCI) Data Security Standards (DSS) Council to retire Transport Layer Security (TLS) 1.0 encryption. TLS 1.0, first published in 1999, no longer meets minimum PCI security standards.

The change applies to everyone who processes credit cards on premise from their own systems. It does not apply to Essent Cloud customers who process payment cards in the cloud; Essent disabled TLS 1.0 in 2016.

 

The PCI council is requiring companies who process payment cards to disable TLS 1.0 and enable TLS 1.2 or later. Companies who don’t may be subject to PCI fines. Companies who use a third-party payment card processor like USAePay may have payment card processing halted without the upgrade to TLS 1.2.

Microsoft provides documentation on how to enable the newer, more secure TLS 1.2 encryption standard.

For companies who use software via a cloud provider, ensure that your provider has enabled TLS 1.2 or greater.

For companies who use software hosted on their own servers, enable TLS 1.2 or greater and be sure that you are using a server that supports it (Microsoft Server 2008, for example, doesn’t support any TLS version greater than 1.0).

Essent customers, particularly Essent On-Premise customers, can read our Support Notice for more information.