Web Encryption Changing in 2017 — And Why that Matters

People make transactions on the internet more often than ever before. With this trend, concerns about the security of financial data have grown as well. 2017 will bring enhanced security measures to reduce the threat of data theft, and it may change how you make online purchases, do online banking, and transact other personal data online. In this post, we’ll explain the web encryption changes coming to a web browser near you.

TLS 1.2, Explained

On January 1, 2017, all companies that process credit card payments online must switch to the latest standard of encryption, known as Transport Layer Security 1.2, or TLS 1.2 for short. You may not have heard of TLS or its counterpart Secure Sockets Layer (SSL) before, but these are crucial encryption protocols that make secure communication on the internet possible.

Man using mobile payments online shopping and icon customer network connection on screen, m-banking and omni channel

How the Shift from TLS 1.1 to TLS 1.2 Will Affect Internet Users

Most credit card processing gateways will end support for TLS 1.1 come January 1. After this date, transactions will fail on websites that have not connected to their payment gateway via TLS 1.2. If you are a business owner, contact your payment service provider if you have questions about this switch.

Large companies like Google and Apple are also switching to TLS 1.2 and dropping support for TLS 1.1 on many of their websites. Internet users should upgrade their browser to the latest version, or get a better browser such as Google Chrome

Outdated computers may have trouble accessing many websites in 2017. Windows Vista and earlier versions of Windows may not support TLS 1.2 protocols at all, unless these older systems receive a technical update. 

Why Web Encryption Matters

Websites use encryption protocols to create secure connections, recognizable as a green HTTPS icon in the URL. A secure connection prevents would-be thieves from snooping and stealing your personal information. When you connect to an encrypted website, the data you send and receive is unreadable to others.

SSL protocols are a standard web security measure. TLS adds additional security protection, allowing your browser to automatically verify the identity of the servers your computer communicates with. It’s difficult (but not impossible) to impersonate another server when using strong encryption. Encryption is one of the strongest security measures available, but isn’t perfect.

Both white hat (good guy) hackers and black hat (bad guy) hackers work tirelessly to find weaknesses in different types of encryption. Improved editions of encryption replace older protocols when vulnerabilities are discovered. For instance, many websites switched to TLS security over SSL protocols years ago. Today, TLS 1.1 is one of the most widely used types of encryption on the internet. Unfortunately, it doesn’t provide strong enough security measures anymore. Users of TLS 1.1 are advised to upgrade to TLS 1.2, but companies that process credit card transactions don’t have a choice. They must adopt TLS 1.2 on January 1, 2017.

Credit Card Companies Led the TLS Switch

The Payment Card Industry Data Security Standard (PCI DSS) mandated the change from TLS 1.1 to TLS 1.2 for 2017. The PCI DSS is a set of standards that ensures credit card information is handled correctly and mitigates the risk of credit card or data theft to the highest degree.

Visa, American Express, MasterCard, and other major credit card companies formed the PCI Security Standards Council (SSC). This organization maintains and enforces the DSS safeguards to protect both consumers and businesses from cyber threats.

If you or your company accept credit card payments, you must follow the rules of the PCI DSS. Luckily, nearly all payment gateways (such as PayPal, Stripe, Authorize.net, etc.) handle most compliance details for clients. However, you should still be aware of your responsibilities when handling payment information.

Few are likely to read fine print these days. But you should be aware that mishandling credit card data carries heavy fines — up to thousands of dollars for every instance that a card is compromised. Other penalties can include IRS-like scrutiny from the PCI SSC, heightened reporting requirements, and even bans on accepting credit card payment entirely!