Plenty of U.S. merchants still working to complete their migration to EMV now have another high-pressure technology hurdle to worry about: Most are still using a core transaction security protocol set to expire in the next 11 months and if they don’t take appropriate action they’ll be unable to process transactions.

Most merchants are still relying on the 1.0 version of the payment encryption method known as Transport Layer Security (TLS), but hackers have so thoroughly exploited it that the Payment Card Industry is withdrawing support for that version on June 30, 2018, and processors will follow suit immediately.

Switching to one of two more recent supported versions of the encryption protocol—either TLS 1.1 or TLS 1.2—should be relatively simple. But many merchants are held back by their use of older computer hardware and Windows operating systems prior to Windows 7.

Dom Lachowicz, senior vice president of engineering at Cayan.
“We’re finding that lots of merchants are going to need to make very substantial changes in their storefront and e-commerce operations to be ready for next July,” said Dom Lachowicz, senior vice president of engineering at Cayan.

Payments technology provider Cayan estimates that about 60% of all merchants are still relying on the older version, TLS 1.0, and potential losses to merchants that don’t make the upgrade to newer versions by next year’s deadline could run into the billions.

“We’ve measured our own merchants’ exposure and presently about 55% of Cayan merchants are using the older version and will need to make some kind of change within the coming months to avoid losses,” said Dom Lachowicz, senior vice president of engineering at Boston-based Cayan.

Cayan recently stepped up its program to notify merchants of the need to assess existing systems to make changes in time, according to Lachowicz. Other major payments providers including Elavon and Chase Merchant Services also said they are working closely with merchants to drive awareness about the change.

“We’re finding that lots of merchants are going to need to make very substantial changes in their storefront and e-commerce operations to be ready for next July,” Lachowicz said.

Merchants with standalone payment terminals may simply need to download a new file, at no cost, but for large merchants with more complex, integrated POS systems that leverage older, out of date operating systems, necessary upgrades could cost “hundreds to thousands of dollars per lane,” Lachowicz said.

While Cayan is encouraging merchants to adopt TLS 1.2, the company will continue to support TLS 1.1 through its gateway after July 1, 2018, to smooth the transition. Some providers have opted to skip providing support for TLS 1.1, he noted.

Elavon has the necessary technology in place for its conversion to TLS 1.2 and the push will be a big priority for the company this year, a spokesperson said. "We are minimizing any customer impact by proactively working with them on timelines and the necessary steps they need to take ahead of the mandate," she added.

The PCI Security Standards Council has known for years that the older TLS 1.0 was becoming a threadbare bulwark against hackers, but while merchants were still grappling with EMV and other major changes, the council provided a two-year extension.

Small merchants may face significant challenges, but large merchants also may need to change significant elements of their systems to root out older operating systems that aren’t compliant with TLS 1.1 or 1.2, according to Lachowicz.

“Bigger companies have longer procurement cycles than smaller operators, but the urgency is the same and we anticipate that some number of merchants will be scrambling at the last minute if they don’t start assessing their situation immediately,” he said.

Future updates to TLS should pose fewer hassles.

The original version of TLS was introduced in 1999 to supersede Secure Socket Layer, and the PCI council began support for TLS 1.1 and then 1.2 more than a decade ago, as secure cryptographic protocols to protect data where servers communicate with Web clients. The newest version, TLS 1.3, is still in draft form and not commercially available yet, according to experts.