PCI, TLS 1.2, and the Upcoming Deadlines for Ecommerce Stores

tls_1.0_eol

As we discussed in a previous PCI blog post, the PCI council has pushed back the date for ending support for TLS 1.0 to June 30, 2018. However, many ecommerce related services are still going forward with removing support for TLS 1.0 this year.

What does this mean for ecommerce merchants?

Confusion abounds

We’ve received a number of emails and calls about this impending change that many payment gateways and shipping providers will be implementing. TLS 1.0 is an encrypted method (protocol) that one piece of software can use to securely communicate with another software system. Flaws have been discovered in TLS 1.0, so the PCI council has listed TLS 1.0 as an insecure method to use for secure ecommerce transactions.

Unfortunately, TLS 1.0 is a very common method to use on most servers. In fact, many servers do not fully support anything higher than TLS 1.0.

This is separate from your ecommerce site’s SSL certificate, which is used by your visitors to view pages securely on your website. What we’re talking about is the method by which your ecommerce software communicates with services such as payment gateways (e.g. Paypal, Authorize.net) and shipping services (UPS, FedEx, etc…).

What are the current deadlines?

Many service companies are moving ahead with ending support for TLS 1.0 sooner rather than later. These dates are subject to change, but as of this date, here is what we know:

Authorize.net

They originally listed June 30, 2016 as the date they would end support for TLS 1.0. However, with the change in dates by the PCI council, they have not listed an official end date yet. See this Authorize.net TLS 1.0 forum post on their site for updates to this date.

PayPal

PayPal is listing June 17, 2016 as the date all transactions must use TLS 1.2 for communicating with PayPal. They have a schedule of security changes that you may reference in case the dates change.

(update May 6, 2016) – PayPal has pushed back the date for requiring TLS 1.2 to June 30, 2017.

FedEx

FedEx will stop support for TLS 1.0 on August 1, 2016 as stated in their Ship Manager March 2016 Announcement.

UPS

UPS will require TLS 1.2 for all requests by May 31, 2016. This date is listed on the UPS Data Security Upgrade web page.

(update April 19, 2016) – UPS will be extending the deadline for TLS 1.2 to a time in the future. The original May 31, 2016 date is no longer being enforced.

Does my ecommerce software support TLS 1.2?

If you are hosting your ecommerce site with us, here is the information you need to know:

  • For ShopSite clients, you will need to be running the latest version 12 Service Pack 2 release of ShopSite in order to have full support for TLS 1.2. If you are running an older version, services may stop working as TLS 1.0 support ends. The upgrade to the latest version of ShopSite is quite seamless in most cases. We have more information about upgrading ShopSite on our website.
  • For Magento merchants, we will have PHP updated on all servers to fully support TLS 1.2 (via curl) by May 31, 2016. This will ensure that shipping and payment gateway services will continue to work as they end support for TLS 1.0.
  • For other PHP based ecommerce applications like WooCommerce, we will have all servers updated to support TLS 1.2 via curl by May 31, 2016.

If you do not host your ecommerce store with us, you will want to check with your hosting company to make sure that PHP is compiled with TLS 1.2 support via curl, which by default on most servers is not the case.

….

This process of ending support for TLS 1.0 will not be a smooth transition for many merchants. I fear many web hosts have not made the proper preparations to have full support for TLS 1.2. This could lead to ecommerce stores not being able to accept payments, and/or provide real-time shipping rates. If you’re hosted with us, we’ll make sure everything works before these deadlines occur.

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

2 Comments

  1. Chandresh says:

    For magento we have to do any changes in code or URL ? Or TLS 1.2 is only related to Server settings?

Leave a Reply to Robert Mangiafico