By June 30, 2018, your website will be required to use a later version of the TLS protocol for secure payment communications.
That means if your site is using an old TLS version or SSL, then it will be in violation of the PCI Data Security Standard (PCI DSS).
Even worse: you’re putting customer data at risk.
In this article, we’ll cover the upcoming SSL deadline and explain how you can be sure your website is secure.
What is TLS?
Webmasters often use the acronyms SSL (Secure Sockets Layer) and TLS (Transport Security Layer) interchangeably. That’s for good reason.
Although there are some differences between the two protocols, for practical purposes they’re basically the same.
SSL was developed in the 1990s. It evolved into TLS.
Unfortunately, though, SSL v2 and SSL v3 aren’t secure any more. Neither is TLS v1.0.
That’s why you need to upgrade to TLS v1.1 at a minimum. But you should go “all in” and upgrade to TLS v1.2.
How TLS Secures Your Site
TLS secures your site with encryption and authentication.
Encryption encodes the communication between the server (your website) and the client (somebody’s browser). That way, people who are eavesdropping on your communications won’t be able to see any useful info (like credit card numbers).
Authentication provides a level of trust between the server and the client. It ensures that the client is communicating with the server it intends to communicate with.
Without authentication, hackers could stage a “man in the middle” attack and retrieve payment data or personally identifiable info (PII).
If you’re running an ecommerce site that accepts credit card payments online, it’s critical that you ensure the security of communications between your server and your customers. Otherwise, their data might be compromised.
Older TLS and SSL
If your website is still using SSL v2, SSL v3, or TLS v1.0, then it will be out of compliance on June 30, 2018. That means you have until that date to get things fixed.
Unfortunately, though, you can’t just patch those older versions of the protocols. You have to upgrade to a newer version.
Why? Because there are no patches that fix the security vulnerabilities in the old versions.
Of course, all of this raises the question: how can you tell if you’re using an older version of TLS or SSL? To answer that question, you’ll have to do some investigating.
Recommended for You
Checking Your Security Protocol Version
If you’re not a high-tech geek, all of this chatter about security protocols and versions might seem a bit overwhelming. That’s okay.
The good news is that you’ve probably already got a team in place that has you covered.
If you’re using a reputable hosting provider to run your website, then your server is probably using the latest protocol. You don’t have to do anything.
Remember, hosting providers have security teams in place that keep up with the standards. They install patches and upgrades accordingly.
Still, it’s a good idea to touch base with your provider’s technical support staff. A qualified rep should be able to tell you what version of TLS you’re using.
Also, keep in mind that many of the more recent server platforms are already compliant with the new standard.
Windows Server 2012, for example, already uses the more recent TLS protocol. So if you’re using that operating system, you should be in good shape.
But don’t let this article give you too much confidence. It’s still worth your while to contact tech support and ensure that you’re up to date.
If your website is running on a UNIX platform, you probably have the latest protocol. Again, though, you really need to exercise some due diligence.
One of the best ways to find out if your site is compliant is with an audit by an Approved Scanning Vendor (ASV).
An ASV is a digital security company that specializes in finding website vulnerabilities and fixing them.
The PCI Security Standards Council keeps a list of approved scanning vendors. You should filter that list based on your own country and find a company that will audit your site.
That’s going to cost some bucks, though.
Google Search Console Notifications
Another way to check for compliance is to browse through your Google Search Console notifications.
Look for this kind of message: “An outdated version of TLS is being used on the site.”
If you see that, you have to upgrade. Fortunately, Google also provides you with links to instructions on how to upgrade your protocol.
Wrapping It Up
Before you know it, the June 30 deadline will be here. That’s why you need to make sure that your website is compliant with the latest security standards. If you haven’t already done so, schedule an audit and follow the recommendations that come from it.
VISIT THE SOURCE ARTICLE
Author: John Lincoln