When you make a payment on a website using a HTTPS connection, Transport Layer Security (TLS) encryption is what makes your payment transfer over the public internet secure. Unfortunately, it's riddled with security flaws.
TLS, which also protects email, instant messaging and VoIP, supposedly ensures that encrypted communications are unreadable by third parties; that the identity of the parties can be authenticated to a known source using public key cryptography and that the messages or communications cannot be altered between transmission and receipt. It’s exactly the kind of technology that we should be using to protect our sensitive payment card data, right?
You would think so. But it has vulnerabilities, many of which have been widely publicized. The Heartbleed bug, which was disclosed in 2014 affecting OpenSSL, impacted a massive number of software companies and websites. In fact, it’s believed 29% of the American population was impacted.
SSL (Secure Sockets Layer) and early TLS no longer meet minimum security standards due to known security vulnerabilities in the protocol for which there are no known fixes. As such, the most recent version of the Payment Card Industry Data Security Standard (PCI DSS) v3.1 stated that organizations processing payments would be required to migrate to at least TLS 1.1 encryption, or preferably higher, by June 2016.
Unfortunately, the PCI Security Standards Council has moved back the deadline for organizations to migrate to TLS 1.1 to June 2018, or two years later than the original deadline proposed.
Many would argue that the The PCI Security Standards Council pushed the date back to aid a percentage of merchant customers who use old, outdated, insecure technology, and big ecommerce companies do not want to lose out on these sales. But why should the masses suffer for the minority?
In a rare move, companies wanting security, not just compliance, are not waiting for the new PCI Security Standard deadline. Many in the payment community, including many Payment Service Providers (PSPs) are making encryption changes now.
Merchants and service providers need to start taking payment security into their own hands. Organizations need to be aware of risks independent of mandated deadlines and customers must be responsible for their own actions, or lack of actions, to protect their networks. Updates can be challenging and costly, but the risks associated with exposing sensitive consumer data greatly outweigh these costs. We, as an industry, need to make these changes now, inthe interest of our customers, the general public’s benefit, and in the interest of security rather than compliance.
Ben Rafferty is a payments security expert from Semafone.