People make transactions on the internet more often than ever before. With this trend, concerns about the security of financial data have grown as well. 2017 will bring enhanced security measures to reduce the threat of data theft, and it may change how you make online purchases, do online banking, and transact other personal data online. In this post, we’ll explain the web encryption changes coming to a web browser near you.
TLS 1.2, Explained
On January 1, 2017, all companies that process credit card payments online must switch to the latest standard of encryption, known as Transport Layer Security 1.2, or TLS 1.2 for short. You may not have heard of TLS or its counterpart Secure Sockets Layer (SSL) before, but these are crucial encryption protocols that make secure communication on the internet possible.
How the Shift from TLS 1.1 to TLS 1.2 Will Affect Internet Users
Most credit card processing gateways will end support for TLS 1.1 come January 1. After this date, transactions will fail on websites that have not connected to their payment gateway via TLS 1.2. If you are a business owner, contact your payment service provider if you have questions about this switch.
Large companies like Google and Apple are also switching to TLS 1.2 and dropping support for TLS 1.1 on many of their websites. Internet users should upgrade their browser to the latest version, or get a better browser such as Google Chrome.
Outdated computers may have trouble accessing many websites in 2017. Windows Vista and earlier versions of Windows may not support TLS 1.2 protocols at all, unless these older systems receive a technical update.
Why Web Encryption Matters
Websites use encryption protocols to create secure connections, recognizable as a green HTTPS icon in the URL. A secure connection prevents would-be thieves from snooping and stealing your personal information. When you connect to an encrypted website, the data you send and receive is unreadable to others.
SSL protocols are a standard web security measure. TLS adds additional security protection, allowing your browser to automatically verify the identity of the servers your computer communicates with. It’s difficult (but not impossible) to impersonate another server when using strong encryption. Encryption is one of the strongest security measures available, but isn’t perfect.
Both white hat (good guy) hackers and black hat (bad guy) hackers work tirelessly to find weaknesses in different types of encryption. Improved editions of encryption replace older protocols when vulnerabilities are discovered. For instance, many websites switched to TLS security over SSL protocols years ago. Today, TLS 1.1 is one of the most widely used types of encryption on the internet. Unfortunately, it doesn’t provide strong enough security measures anymore. Users of TLS 1.1 are advised to upgrade to TLS 1.2, but companies that process credit card transactions don’t have a choice. They must adopt TLS 1.2 on January 1, 2017.
Credit Card Companies Led the TLS Switch
The Payment Card Industry Data Security Standard (PCI DSS) mandated the change from TLS 1.1 to TLS 1.2 for 2017. The PCI DSS is a set of standards that ensures credit card information is handled correctly and mitigates the risk of credit card or data theft to the highest degree.
Visa, American Express, MasterCard, and other major credit card companies formed the PCI Security Standards Council (SSC). This organization maintains and enforces the DSS safeguards to protect both consumers and businesses from cyber threats.
If you or your company accept credit card payments, you must follow the rules of the PCI DSS. Luckily, nearly all payment gateways (such as PayPal, Stripe, Authorize.net, etc.) handle most compliance details for clients. However, you should still be aware of your responsibilities when handling payment information.
Few are likely to read fine print these days. But you should be aware that mishandling credit card data carries heavy fines — up to thousands of dollars for every instance that a card is compromised. Other penalties can include IRS-like scrutiny from the PCI SSC, heightened reporting requirements, and even bans on accepting credit card payment entirely!