FAQ: PCI Mandate to Retire TLS 1.0, SSL

The Payment Card Industry (PCI) Security Standards Council is strengthening its encryption standards to discontinue use of Transport Layer Security (TLS) 1.0 and Secure Socket Layers (SSL) in secure credit card transactions.

Why is this change happening?

The PCI Security Standards Council is the authority on what makes a credit card or debit card transaction secure. The council determined that TLS 1.0 and SSL are vulnerable to hackers. In other words, you can’t count on TLS 1.0 or any version of SSL to protect payment card data; the communication session needs TLS 1.1 or higher.

Who does this change affect?

Due to the popularity of web browsers that use TLS and SSL, most online sellers are expected to need to take action. Some consumers and B2B buyers are likely to need to take action as well.

When is this change happening?

It’s already underway. Websites that existed before April 2015 need to use TLS 1.1 or higher by June 30, 2016. Websites created since April 2015 need to use TLS 1.1 or higher immediately. Some websites have already made the change.

Essent is discontinuing use of TLS 1.0 before the PCI deadline and previously discontinued use of SSL.

I’m a business. What do I need to do?

Ensure that the technology you use to process payment card information uses TLS 1.1 or higher.

A good place to start is by asking your webmaster. If your webmaster is Essent and you have a support plan, please contact your Essent support representative. If your webmaster is Essent and you do not have a support plan, please contact your Essent sales representative.

The PCI Council has detailed, authoritative instructions.

Are my customers affected?

Yes. Both sides of the transaction need to use TLS 1.1 or higher. If the customer is using non-compliant encryption, they’ll get locked out of the transaction. You’ll need them to have compliant encryption in order to sell to them online.

What do my customers need to do?

You’ll need to educate your customers to have them update their web browsers to versions that disable TLS 1.0 or lower (for example, Internet Explorer 10 has a manual setting to disable TLS 1.0) and that support TLS 1.1 or higher.

In short, have your customers download the latest version of any major web browser. The latest versions of Google Chrome, Mozilla Firefox, Internet Explorer, and Safari use the compliant TLS 1.1 and higher.

How many customers are using out-of-date browsers?

One of the best ways to find out what browsers visitors are using to visit your website is Google Analytics. You can contact your webmaster. If your webmaster is Essent and you have a support plan, please contact your Essent support representative. If your webmaster is Essent and you do not have a support plan, please contact your Essent sales representative.

What browsers are supported by Essent?

Essent supports the latest and other recent versions of major web browsers including Chrome, Firefox, Internet Explorer, and Safari.

 

I’m a consumer. What do I need to do?

Just update your web browser to the latest version. The latest versions of the major web browsers use compliant encryption.

I’m a B2B buyer. What do I need to do?

It depends how you do your buying.

If you use a web browser to access the seller’s ecommerce site (the way you buy things for yourself from Amazon), then follow the instructions for a B2C consumer: Use the latest version of a major web browser.

If you have a more sophisticated method like an eprocurement system that performs a PunchOut Catalog transaction to a PunchOut enabled website, you’ll need to talk with your trading partner to ensure that both the buying and selling sides of it are using TLS 1.1 or higher.



Share This:
FacebookTwitThisLinkedInRedditSlashdot

Subscribe to Connect

Find news, webinars, technology, trends, and more in the Essent Connect email newsletter.



Essent Tweets