Author Topic: Use PayPal cc processing for website? Deadline to quit using TLS1.0 approaching  (Read 29 times)

0 Members and 1 Guest are viewing this topic.

WayOutWest

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 8513
    • A3PDNI0CMSQZ2N
    • View Profile
    • WayOutWestUSA.com - Landstrom's Black Hills Gold Jewelry
The most secure protocol for sharing information on the web today is Transport Layer Security (TLS) version 1.2. PayPal enabled support for TLS 1.2 for all secure connections and last year began requiring its use. If you haven't already done so, you will need to verify that your environment supports TLS 1.2 and if necessary make appropriate updates. PayPal is updating its services to require TLS v1.2 for all HTTPS connections by June 30th of this year (2017). After that time, all TLS v1.0 and TLS v1.1 API connections will be refused.

These updates are part of an industry-wide initiative to improve security standards. Some of these updates, like the TLS upgrade, are mandated by the PCI Security Council and are required by every website that transmits or processes cardholder data.

Merchants and developers may have to update their applications and integrations in order to be in compliance and ensure that their applications continue to function as expected.

Src: https://devblog.paypal.com/upcoming-security-changes-notice/

For more information please visit:
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

The deadline for all merchants to stop using SSL and TLS 1.0, and be fully switched to TLS1.1 (or higher), and still be PCI compliant, is June of 2018 (the original deadline was June of 2016) https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_(002).pdf

In addition, the PCI Council has stated that web browsers will begin prohibiting SSL connections in the near future.

The other part of this is that there are tons of people out there still using older browsers, many of which can't even use TLS1.1, much less TLS1.2.  For example, IE versions prior to v11 either can't natively use  TLS1.1, or don't have it enabled.  All of the people still using XP and Vista?  Even if they update to IE9, they don't have TLS1.1 capability, much less TLS1.2.  IE in Windows 7 & 8 has access to both, but they're disabled by default unless the user updates to IEv11.   A complete chart of browsers and what versions of TLS they have can be found at https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

To enable TLS1.1 & 1.2 on your browsers, the U.S. State Dept. has easy to follow directions.  The directions are actually for enabling TLS1.0, but it gets you to the right spot for enabling 1.1 and 1.2.   https://travel.state.gov/content/dam/aa/pdfs/directions_for_enabling_tls.pdf

You can also check your browser's TLS capabilities by viewing the page at https://www.ssllabs.com/ssltest/viewMyClient.html




Southern Jewel's Fab Finds

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 16921
  • Southern Jewel's Fab Finds
    • Pinterest
    • View Profile
    • Southern Jewel's Fab Finds
Thanks!
Been meaning to look into this...needed that bump.

  

Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf