An Encryption Upgrade Could Upend Online Payments

At the end of June, digital charge card transactions are getting a mandatory encryption upgrade. It’s good news–but not if you have an old device, or depend on a retailer that hasn’t completed the transition.

When data moves from one device to another, it needs protection so it isn’t intercepted and manipulated along the way. This defense is especially crucial, as you might imagine, for sensitive communications like financial transactions. And with credit card scam booming, the Payment Card Industry Security Standards Council announced last year that it would phase out an old, buggy encryption strategy used for processing digital credit card transactions, called Transport Layer Security 1.0, in favor of most secure alternatives. The deadline: June 30.

‘The problems are fundamental protocol design issues , not something that can be easily fixed.’

Kenn White, Open Crypto Audit Project

Though there are exceptions for merchants that operate their own pay processing servers, organizations that use PCI-compliant commerce platforms–almost everyone–need to upgrade the encryption protocols on their websites and pay terminals if they haven’t already. Operating these updates should be pretty easy for a small business that has a couple of charge card readers and a website, but merchants need to know to do it in the first place. Big companies with thousands of payment terminals and a massive web presence face a more significant update challenge. With the deadline only weeks away, some are still scrambling. In the worst-case scenarios, those charge card transactions will simply stop going through.

“This update is a big deal in the e-commerce platform world, because every merchant is use unique integrations and needs to be up to date so transactions don’t fail, ” tells Jack Cravy, vice president of operations at the software provider AmeriCommerce, which has been working with customers to prepare for the transition. “A lot of these platforms that haven’t updated yet need to get on the ball pretty soon, or they’re going to be in hot water.”

In addition to potential problems on the merchant side, older software and devices may not support the improved encryption protocols, meaning that transactions could fail on the user side as well. Independent of the push to procure charge card transactions, many sites have transitioned to more secure encryption in the past few years; if your device is that old, you’ve likely noticed it by now already. And even if you’re running an ancient or poorly forked version of Android, or a musty iOS, you may be able to get around the problem if your device can run a somewhat current browser that supports TLS 1.1 and 1.2.

If you’re concerned that your device might not be ready for the change, you can check what your browser supports with this tool from the cloud security firm Qualys.

The push in e-commerce to update encryption protocols mirrors broader endeavours across the tech industry to standardize this type of data protection. The little green padlock in your browser, for example, uses Transport Layer Security to connect web servers and your browser, authenticate both sides, and then prevent eavesdropping as data goes through the channel. Up to now, digital pays could be processed with TLS 1.0, 1.1, or 1.2. But TLS 1.0, codified in 1999, has shown its age, and is well known vulnerabilities to numerous attacks, including the not-cute POODLE glitch. TLS 1.1 from 2006 and the popular TLS 1.2 from 2008 have their own problems, but at least eliminate some of the most serious exposures of 1.0.

“In the winter of 2014 to 2015, there were a number of vulnerabilities discovered that allowed attackers to fully decrypt network traffic protected by TLS 1.0, ” says Kenn White, director of the Open Crypto Audit Project. “The problems are fundamental protocol design issues , not something that can be easily fixed.”

‘It becomes a risk for fraud and info stealing if you’re employing it. It’s a big deal.’

Jack Cravy, AmeriCommerce

Many merchants proactively upgraded past TLS 1.0 years ago, and the industry has had more than a year to prepare for the transition, which the PCI Security Standards Council describes as “critically important.” Platform providers like PayPal and AmeriCommerce have offered support to clients, and have been running “smokescreens” for months in which they shut off TLS 1.0 support for an hour or so at a time to help merchants that still haven’t upgraded realise the severity of the problem. As an expression of the results of this industry-wide push, customers likely won’t experience problems transacting with the bulk of mainstream retailers, but there could still be issues such as more peripheral organizations or those that don’t have digital transactions at the core of their work.

“It will largely merely be a few stragglers that are using 1.0, but they may still do a lot of volume, so it’s hard to say that they’re not important and we’ve just been trying to warn them, ” AmeriCommerce’s Cravy says. “It’s a weak protocol, there are known exploits for it, so it becomes a risk for fraud and datum stealing if you’re use it. It’s a big deal.”

As with any transition, observers expect some problems at first, but note that the move away from TLS 1.0 is worth it and long, long overdue–especially for web traffic where money’s involved.


More Great WIRED Stories

How WIRED lost $100,000 in Bitcoin Four rules for learning how to talk to each other again Your next glass of wine might be a fake–and you’ll love it Maybe DNA can’t answer all our questions about heredity Xbox is losing the console war–but that’s a good thing Appearing for more? Sign up for our daily newsletter and never miss our latest and greatest tales

Leave a Reply