(REVISED) TLS, the June 30, 2016 Deadline, Online Payments, and You

Posted by Matt Birchler
— 3 min read

UPDATE: The PCI compliance council has said they are pushing the deadline back to June 30, 2018, so this article is now a couple years early. It's a surprising move considering the state of TLS 1.0 security today, but that seems to be the direction they're chosen to go.

You can dive really deep into this, but in general TLS (or Transport Layer Security) is a security protocol used to send data over the internet. You’ve likely seen this in your travels around the web, but you may not have known it. Any website that starts “https” and has that little lock icon next to the URL is using an SSL or TLS security protocol. This basically makes sure that when you enter data into a website, it’s only going to go where you want it to go.

As with anything security related, these things are evolving all the time. As the bad guys crack the old systems, new ones have to come in to take their place. It was less than 6 months ago that SSL 3.0 was deprecated and declared to be insecure. As of today, web services need to be using SSL’s successor, TLS. However, TLS 1.0’s time is coming to an end as well, as the PCI Security Standards Council declared in their Data Security Standard 3.1 report. I’ll save you some time and pull the most critical part to you from under the Encrypt transmission of cardholder data across open section:

SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Impact on developers

This is basically saying that online credit card and ACH (e-check) transactions will need to be passed over a TLS 1.1 or 1.2 secured connection. For web payment companies, this means they have to get their systems up to date. Most of them already are, and they 100% will be by June 30, 2016 otherwise they’ll…well, go out of business.

Massive online stores like Amazon and Target, all the way down to shopping cart developers (such as WooCommerce) will need to be using the new TLS versions as well.

What about me, the customer?

So far so good, right? It’s just web developers and payment processors who need to get on board. But what about you at home, reading this? Do you have to do anything?

Probably not…but maybe. Security is a two-way street, so not only do websites need to be updated, but you need to be using a computer and web browser that supports the newest TLS protocols. If you have a relatively modern computer, this should not be a problem. However, if you have been using the same computer for over a decade and have not done any updates in a long time, you may be in trouble.

Operating system support for TLS 1.1 and 1.2

  • Windows 7 and newer (no XP or Vista!)
  • Mac OS X 10.8 Mavericks and newer
  • Android 4.4 and newer (maybe 2.3 if developers do a lot of work)
  • iOS 5 or newer

You can also visit How’s My SSL on any device and see where you stand.

Whichever system you are running, you want to make sure that your web browser is up to date as well. All the major browsers (Chrome, IE, Safari, Firefox, Opera) all support the new TLS versions, but many of them only got it very recently. Turn on auto-updates!

If you do not update by the June 30, 2016 cut off, you will start to run into issues when trying to purchase things online. The web will not break for you entirely, as the deprecated TLS versions will still function for many sites. But expect to start to see error messages when trying to go to a checkout screen.

Final advice

My advice to the average person is to just go out there and update your old computer. I know you may think Windows XP was the best operating system in the world and it’s only gone downhill from there, but it’s time to move on. Get your system up to date now and don’t worry about this. Odds are by June 30, 2016 you’ll have forgotten this is even a thing and just carry on with your life.