Now that the PCI Security Standards Council’s July 1 deadline has passed for implementing newer versions of Transport Layer Security technology to protect payment data, some experts believe nearly a third of small brick-and-mortar and e-commerce merchants don’t meet the new requirements. As a result, expect merchant acquirers, processors, and networks to step up efforts to bring those merchants into compliance in the coming months.
“The focus from the card brands and the PCI [Council] is expanding to the smaller merchant and franchises” regarding PCI compliance, Michael Aminzade, vice president of global compliance and risk services for Trustwave Holdings Inc., a Chicago-based provider of data-security services and technology, tells Digital Transactions News by email. Aminzade estimates that about 30% of Internet retailers and low-volume, so-called Level 4, physical merchants aren’t using approved TLS technology yet, despite years of advance notice.
TLS is a cryptographic protocol used to protect information passing between Internet-connected systems. It’s the successor to Secure Sockets Layer technology developed in the mid-1990s. Security experts now consider SSL and the first version of TLS to be inadequate for today’s data-protection needs. In 2015, the Wakefield, Mass.-based PCI Council issued a June 2016 deadline for card-accepting merchants to migrate from those earlier systems to TLS 1.1 or higher. The Council later pushed the deadline back to July 1, 2018.
Merchants still using SSL and the early version of TLS are extremely vulnerable to hackers, according to security experts. The two primary impediments to TLS adoption among small merchants are that they lack the financial resources to become compliant or they have not made compliance part of their business culture.
“There has been adequate time provided for evolving requirements,” says Aminzade. “The main issue is organizations still do not want to or can’t spend the money needed to be compliant and maintain compliance.”
Enforcement of the new standard is chiefly up to merchant acquirers, so whether the non-TLS-compliant merchants will continue to be allowed to accept card payments is a matter for those processors to decide. For physical merchants, one criterion that may be used to determine continued acceptance is whether the connection between a point-of-sale terminal and the processor is vulnerable to hackers.
“From an SSL/TLS connection point, as long as the connection between the terminal and the processing system is not [subject to] to the SSL/TLS vulnerabilities, then there is an exemption for terminals to continue to use the channel,” Aminzade says. “However, part of the exemption is to monitor to make sure this channel does not become vulnerable.”
That raises the issue of so-called compensating controls to fortify known weaknesses.
“If compensating controls are considered after July 1, the risk of exposing the information needs to be eliminated, for example, by encrypting data before it goes over the SSL/TLS connection or, alternatively, tunneling the SSL/TLS connection inside a VPN [virtual private network] that uses strong cryptography,” says Troy Leach, the PCI Council’s chief technology officer.
Maintaining compliance with PCI rules regarding TLS can even be a challenge for large merchants such as airlines. “In the airline industry there are dependencies on service providers that provide contracted services to airports that the airlines are forced to use,” says Aminzade. “If these service providers have issues maintaining compliance or upgrading equipment, then it is the airline (merchant) that ends up suffering non-compliance unless they look to change how they operate within the airports.”