We Already Have You Covered
You may have heard about a global issue in which Google researchers found unfixable vulnerabilities in commonly used encryption protocols. You may have also heard that, as a result, the PCI Council has delisted the vulnerable encryption protocols from being used for credit card processing. However, you may not understand what this means.
The encryption protocols of SSL and TLS have been in use for a long time. They essentially ‘scramble’ data during communications so that if the data is intercepted by an unauthorized individual, it cannot be read. In this manner, encryption is used for email, credit card data transmissions, ecommerce or any other sensitive data that needs to be protected. Specifically, the vulnerabilities apply to all versions of SSL and early versions of TLS, which is the more updated protocol.
What Do These Vulnerable Encryption Protocols Mean For My Business?
Nothing! Wind River is way ahead of the rest of the industry and so are you*. An article explaining TLS notes that 40% of merchants could be impacted, and when the merchant’s processor “flips the switch,” the merchant wouldn’t be able to process SSL or TLS 1.0. Their credit card processing would stop working for these transactions!
We have worked hard to communicate this critical change to our customers that were impacted well ahead of the looming deadline and taken the action needed to assure them their credit card processing would continue uninterrupted.
No need to send “Thank You” cards or gifts. It’s all in a day’s work here at Wind River and part of the After the Handshake Promise.
*We do have six customers we are still working with to overcome this obstacle. If you are one of these six, (you know who you are!) please read the PCI Council Specifics below and we will continue to work with you.
PCI Council Specifics
The PCI Council says that if you are involved in credit card processing, all entities must be off of all versions of SSL and TLS 1.0 by June 30, 2018 for PCI compliance. After this date, only TLS 1.1 or 1.2 should be used. Note that not all implementations of TLS 1.1 are immune from the vulnerability, so TLS 1.2 should be used if possible.
The PCI Council has provided guidance. Note that the June 30, 2018 deadline from the PCI Council is the end of a two-year extension that they originally provided due to the challenges of this global technology issue.