TLS and PCI, Explained

PCI, SSL and TLS can be confusing. Here are the basics about the recent shift in data security protocols.

Sensitive info that travels over the internet is always seeing new kinds of cyber security threats. That’s why there are regular security updates for the systems that transmit it. But all the acronyms you hear can get a little confusing.

In December 2015 the Payment Card Industry Security Standards Council (PCI SSC) announced that the Transport Layer Security (TLS) 1.0 encryption methods for web-based payment processing systems would expire June 30, 2018.

As of July 1 2018, payment processing systems had to be updated to TLS 1.2 to comply with PCI standards, which we’ll break down more below. TLS 1.1 is acceptable but 1.2 is strongly encouraged now. It applies to credit card terminals, payment gateways, servers and all other data channels that use the internet.

If your payment terminal is connected via phone line, this update didn’t apply your business.

What is TLS?

The Internet Engineering Task Force (IETF) spells out the details of TLS. It’s a security protocol that encrypts data passed between web-based systems in order to protect it. Its objective is to make sure the data is incorruptible as it moves over the internet. TLS originated from the Secure Socket Layer (SSL) 3.0 protocol and eventually replaced SSL because it’s more secure.

What makes TLS different from SSL?

The new “TLS Handshake” between servers and clients, or between servers and servers, confirms the identity of both parties and creates unique keys to encrypt and decrypt the data transferred between them, distinguishing TLS as the gold standard in modern internet security protocols.

TLS applies to the transfer of any sensitive information—healthcare details, emails and more—so it’s used by a variety of entities, not just the payments industry.

Consequences of Non-Compliance

Migration to the newer TLS protocols was a priority for businesses well before the deadline. There are no patches or enhancements that can make the outdated standards safer, hence the need to disable and replace them. POODLE and BEAST attacks are just two examples of how SSL and TLS 1.0 have been exploited.

Last minute updates were risky since outdated models were disabled July 1. Needless to say, the pause in operations was harmful to businesses who were behind the ball, resulting in lost revenue, customers and credibility.

Rewinding to PCI Basics

Complying with the above TLS update is one part of being compliant with PCI standards, and now we’ll get into the second part.

If you process credit cards, you’re probably familiar with the Payment Card Industry Self-Assessment Questionnaire (PCI SAQ) that needs to be filled out each year. Or maybe you’re not—then it’s a good thing you landed here!

Visa, MasterCard, Discover, American Express and JCB International require PCI compliance for all businesses that accept, process, store or transmit cardholder data.

Credit card fraud is alive and well despite our efforts to curb it, and PCI standards are universal tools used to inform card-accepting organizations of payment industry best practices, set those practices into motion, and show the world that they’ve been implemented. PCI standards are updated each year, so business owners must validate their PCI compliance by filling out the SAQ annually.

Whether you run a one-man operation out of your home or own a large corporation, PCI compliance is a requirement if you accept credit cards. Although it’s not a federal law, non-compliance can result in fines from the major credit card brands and a much higher risk of fraud for your customers and business.

PCI Compliance Time Savers

  • Communicate with your merchant service provider (MSP)

Most often, your merchant services provider will be readily available to assist you with your SAQ, and will send you reminders about when it will expire. They’re even allowed to complete it for you as long as you’re on the phone and have gone through all the questions with them.

There are different SAQs to choose from depending on your business type, so if you have any questions from the start, call your merchant services provider to clear them up so you don’t waste any valuable time you could be spending running your business.

  • Mark the date of your compliance expiration on your business calendar

Treat PCI compliance like any other important business appointment. Since it doesn’t directly affect your business unless you notice a non-compliance fee or suffer a data breach, it can be easy to forget about.

It’s an educational, preventative resource to help you safeguard your business from fraud, but can become a financial burden if you don’t comply and then as a result experience card data theft. You’ll lose a lot of credibility and customer trust, and non-compliance can even land you on the MATCH List/Terminated Merchant File.

  • Be aware that if you have a payment gateway or IP-connected credit card terminal (not installed on a phone line), a vulnerability scan of your IP address will also be required

If you accept credit cards through a payment gateway on your website, or have an in-store terminal that’s connected via IP rather than phone line, PCI fulfillment will include a vulnerability scan to confirm that the IP address associated with your website or store location is secure.

A PCI Approved Scanning Vendor (ASV) performs the scan, and most merchant account providers have a working relationship with one and can schedule this for you. If you don’t pass the scan, your merchant account provider should also be able to walk you through the remediation of vulnerable areas so that you pass.

Through close collaboration with your merchant services provider, fulfilling PCI compliance doesn’t have to be a daunting, confusing task.