Merchants Not Ready for TLS
Most merchants are still relying on the 1.0 version of Transport Layer Security, but the PCI council plans to drop support for that version in mid-2018.
Plenty of U.S. merchants still working to complete their migration to EMV now have another high-pressure technology hurdle to worry about: Most are still using a core transaction security protocol set to expire in the next 11 months and if they don’t take appropriate action they’ll be unable to process transactions.
Most merchants are still relying on the 1.0 version of the payment encryption method known as Transport Layer Security (TLS), but hackers have so thoroughly exploited it that the Payment Card Industry is withdrawing support for that version on June 30, 2018, and processors will follow suit immediately.
Switching to one of two more recent supported versions of the encryption protocol—either TLS 1.1 or TLS 1.2— should be relatively simple. But many merchants are held back by their use of older computer hardware and Windows operating systems prior to Windows 7.
Payments technology provider Cayan estimates that about 60% of all merchants are still relying on the older version, TLS 1.0, and potential losses to merchants that don’t make the upgrade to newer versions by next year’s deadline could run into the billions.
“We’ve measured our own merchants’ exposure and presently about 55% of Cayan merchants are using the older version and will need to make some kind of change within the coming months to avoid losses,” said Dom Lachowicz, senior vice president of engineering at Boston-based Cayan.
Cayan recently stepped up its program to notify merchants of the need to assess existing systems to make changes in time, according to Lachowicz. Other major payments providers including Elavon and Chase Merchant Services also said they are working closely with merchants to drive awareness.
“We’re finding that lots of merchants are going to need to make very substantial changes in their storefront and e-commerce operations to be ready for next July,” Lachowicz said.
For large merchants with more complex, integrated POS systems that leverage older, out of date operating systems, necessary upgrades could cost “hundreds to thousands of dollars per lane,” Lachowicz said.
“About 55% of Cayan merchants are using the older version [of TLS] and will need to make some kind of change within the coming months,” said Dom Lachowicz, SVP of engineering at Cayan.