Whether you head up an IT team or are part of an organization that conducts business online, you need to understand this: web encryption is changing in 2017, and it’s going to affect you.
Technology is expanding exponentially, and the skill sets of nefarious hackers are never far behind. Well beyond just being able to target your personal information, they can now actually attack your old browsers, protocols, and applications as well. Without proper encryption, your data is no longer safe.
So let’s talk about TLS 1.2, an upcoming security upgrade that should be of critical concern for all business leaders (even if it does sound totally dull).
Whoa, of critical concern? Hear me out. This article isn’t intended to be a scare tactic; reading it should help you feel the urgency to put your TLS 1.2 plan in action. It also aims to offer clarity on a technical topic that still confuses some IT experts. I’ve scoured technical forums to find the top 8 questions being asked about the impact of TLS 1.2, and how you can best prepare your organization for the change.
- WHAT IS TLS ANYWAY?
TLS is an acronym for “Transport Layer Security,” which is the protocol that allows digital devices (such as computers and phones) to communicate over the internet securely without the transmission being vulnerable to an outside audience. TLS makes it possible for you to use your credit card to snag that blender deal on Amazon Prime Day, or to make secure transfers via your bank account online.
- WHY DO WE NEED TLS 1.2?
The latest PCI compliance standards require that any site accepting credit card payments uses TLS 1.2 after June 30, 2018. Even though you have some time before TLS 1.2 is required for PCI compliance, most internet services are moving to require support of TLS 1.2 earlier. Services such as PayPal, Authorize.net, Stripe, UPS, FedEx, and many others already support TLS1.2, and have announced that they will eventually refuse TLS 1.0 connections. This means your safest action is to upgrade to TLS 1.2 sooner than later to avoid disruption.
- DOES MY ORGANIZATION NEED TO USE TLS/SSL?
Whether you need to use TLS/SSL depends on your organization’s activities. For organizations involved in health services or payment processing, using a security protocol such as TLS/SSL to encrypt network communications is likely a federal or commercial requirement. For other organizations, using TLS/SSL might simply be a good idea. For more information on health services requirements, visit the HIPAA Security Standard. For requirements on payment processing PCI DSS and compliance, visit the PCI SSC website.
- WHAT HAPPENS IF I DON'T UPGRADE TO TLS 1.2?
Most importantly, by not upgrading to TLS 1.2, you are putting your customers' data at risk. The consequences of not being PCI complaint and suffering a data breach can include fines and the termination of your ability to process credit card transactions.
And after the deadline, the services on your website that require the use of TLS 1.2 will cease functioning, which means your payment processing, shipping rate, or other real-time data could stop working if TLS 1.2 is not addressed.
- HOW CAN I TELL IF MY SITE IS VULNERABLE?
If you are using a hosted solution for your eCommerce platform, you are most likely already protected. However, if you use a third party for a custom-built solution, then you will need to verify that you are protected with the hosting vendor of that solution.
- ISN'T UPDATING MY SSL CERTIFICATE GOOD ENOUGH?
Not at all. The SSL certificate only handles incoming traffic to your web server, and will not protect any calls your web server is making to other services.
- WHAT CAN I DO TO ENSURE MY SITE IS COMPLIANT?
Unfortunately, there is no simple answer to this question. Every organization has a different configuration. From a bird’s-eye view, you need to ensure that the following connections and platforms are compliant with TLS 1.2:
- IIS, Internet Information Service
- Web Server
- .NET Framework
- eCommerce Application
- WHERE CAN I FIND MORE INFORMATION ABOUT TLS 1.2?
Luckily, there are many great resources for SSL and TLS online; you can gather all the information you’ll need to ensure that you are prepared for the upcoming changes. Here’s a sampling of some of them:
- SSL and TLS – How Encryption Works
- PCI Data Security Standard (PCI DSS)
- Video: SSL TLS TTPS Process Explained in 7 Minutes
- Upgrading to SHA-2 and TLS 1.2
- 5 Things You Need to Know About the TLS Deadline
- Salesforce Knowledge Article: Enabling TLS 1.1 and TLS 1.2 in IE
In the end, being proactive is the only way to avoid unwanted security breaches against your company and customers. The upfront costs of performing system updates like TLS 1.2 are much less than what your organization would spend cleaning up a potential security breach later. And, once your users’ trust in your site is shattered, it’s very hard to win back.
Providing a secure experience enables your customers to feel confident about transacting with your web platform. At the end of the day, security is just another important part of providing an excellent customer experience.