SSL, TLS and SHA — Wading Through PCI Alphabet Soup to Keep Data Safe
Updated: January 20, 2017 | EMV | Share on Facebook Share on Twitter Share on LinkedIn
by Jerry Lake, Integration Manager
Network and information security has always been a moving target, and this is certainly true within the Payment Card Industry (PCI). Due to the relentless acts of hostile factions, the highest security measures of today become the deprecated security measures of tomorrow, and eventually go the way of the 3.5” floppy disk.
If you’ve adopted an EMV-compliant payment solution, great, you’re effectively keeping credit card data out of your ticketing system. But if you’re like the majority of merchants, and are still weighing the cost vs. benefits of EMV adoption, or have not adopted EMV across all sales channels, chances are, your ticketing system is communicating over the internet with a credit card acquirer (e.g. Chase Paymentech, First Data) to authorize your transactions. And this is where PCI steps in to ensure safe travel of that sensitive data.
For transmission of cardholder data, SSL 3.0 was the encryption standard for many years, but in recent years, has been proven insecure. TLS 1.0 came in to alleviate that, but was only marginally better than SSL 3.0. TLS 1.1 was an improvement, and now TLS 1.2 is the current strongest encryption method in widespread use. The Galaxy suite of products has been updated to communicate at the highest level of encryption supported by the payment host, meaning, we attempt to negotiate at TLS 1.2, but if the host is not able, we fall back to a lesser version.
A good, not overly-techy summary can be found here on the PCI council’s site: https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
Initially, the PCI council attempted to mandate TLS 1.2 adoption by June 2016, but there was strong pushback from both the credit card acquirers and the merchants to get all their systems updated by then. The PCI council then added two years to the mandatory adoption date, currently now at June 2018.
Some banks (who control your merchant banking account, where your settled transactions are posted) and some credit card acquirers have mandated adoption of TLS 1.2 ahead of PCI’s June 2018 deadline. You may receive a notice from your acquirer or your bank, indicating a requirement for TLS 1.2. The notices may also reference SHA-2 (Secure Hash Algorithm – 2), which would be handled by a TLS 1.2-capable system.
Check with your ticketing provider to ensure the version of software you’re currently running is capable of these newest security encryption features, so that you’re prepared and protected.