As of the 30th June, Payment Card Industry (PCI) compliance requires all eCommerce websites to use the latest version of TLS 1.2 for encryption and discontinue all support for the others, including SSL v3 and TLS 1.0 and 1.1.
SSL vs TLS
Although HTTPS certificates are often referred to as SSL certificates, they will almost always be using the newer and more secure TLS protocol. SSL is the older technology, so now, when talking about SSL, people are normally referring to TLS.
Who is making the change?
This is an industry-wide change and most of the larger payment providers including PayPal and Sage Pay have already stated that they will require a minimum of TLS 1.2 by the 30th June 2018 or earlier.
As this is now a requirement in order to be PCI compliant, any eCommerce website that takes payment online will need to follow suit.
Although this is currently only required for eCommerce, it can apply to any website using an SSL certificate, so servers that support the older protocols and process or store user data online will benefit from this upgrade.
Why the change?
TLS 1.0 and 1.1 are vulnerable to a number of well-known attacks including POODLE and BEAST that put user data at risk, including credit card data.
There are also no known fixes to repair the older protocol versions against the exploits.
As these exploits have been used previously, a decision has been made to make the upgrade necessary for PCI compliance, to protect both personal and payment data.
Who will be affected?
Fortunately, users of most modern browsers and operating systems will not notice any change.
The biggest impact will most likely be users of older versions of the Microsoft Internet Explorer web browser including Internet Explorer 10 and below, as these browsers do not support the modern protocols.
The latest versions of Internet Explorer, Chrome, Firefox and Safari all support TLS 1.2 by default when available.
If you are a website owner, this will affect you regardless of the type of certificate or the company it was purchased from as this relates to the server configuration.
Want to find out more?
This blog was written by Thomas Gardiner, Lead Developer at Stone Create.