Author Topic: Use PayPal cc processing for website? Deadline to quit using TLS1.0 approaching  (Read 1454 times)

0 Members and 1 Guest are viewing this topic.

WayOutWest

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 8579
    • A3PDNI0CMSQZ2N
    • View Profile
    • WayOutWestUSA.com - Landstrom's Black Hills Gold Jewelry
The most secure protocol for sharing information on the web today is Transport Layer Security (TLS) version 1.2. PayPal enabled support for TLS 1.2 for all secure connections and last year began requiring its use. If you haven't already done so, you will need to verify that your environment supports TLS 1.2 and if necessary make appropriate updates. PayPal is updating its services to require TLS v1.2 for all HTTPS connections by June 30th of this year (2017). After that time, all TLS v1.0 and TLS v1.1 API connections will be refused.

These updates are part of an industry-wide initiative to improve security standards. Some of these updates, like the TLS upgrade, are mandated by the PCI Security Council and are required by every website that transmits or processes cardholder data.

Merchants and developers may have to update their applications and integrations in order to be in compliance and ensure that their applications continue to function as expected.

Src: https://devblog.paypal.com/upcoming-security-changes-notice/

For more information please visit:
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

The deadline for all merchants to stop using SSL and TLS 1.0, and be fully switched to TLS1.1 (or higher), and still be PCI compliant, is June of 2018 (the original deadline was June of 2016) https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_(002).pdf

In addition, the PCI Council has stated that web browsers will begin prohibiting SSL connections in the near future.

The other part of this is that there are tons of people out there still using older browsers, many of which can't even use TLS1.1, much less TLS1.2.  For example, IE versions prior to v11 either can't natively use  TLS1.1, or don't have it enabled.  All of the people still using XP and Vista?  Even if they update to IE9, they don't have TLS1.1 capability, much less TLS1.2.  IE in Windows 7 & 8 has access to both, but they're disabled by default unless the user updates to IEv11.   A complete chart of browsers and what versions of TLS they have can be found at https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

To enable TLS1.1 & 1.2 on your browsers, the U.S. State Dept. has easy to follow directions.  The directions are actually for enabling TLS1.0, but it gets you to the right spot for enabling 1.1 and 1.2.   https://travel.state.gov/content/dam/aa/pdfs/directions_for_enabling_tls.pdf

You can also check your browser's TLS capabilities by viewing the page at https://www.ssllabs.com/ssltest/viewMyClient.html




Southern Jewel's Fab Finds

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 17139
  • Southern Jewel's Fab Finds
    • Pinterest
    • View Profile
    • Southern Jewel's Fab Finds
Thanks!
Been meaning to look into this...needed that bump.

WayOutWest

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 8579
    • A3PDNI0CMSQZ2N
    • View Profile
    • WayOutWestUSA.com - Landstrom's Black Hills Gold Jewelry
Welcome. Hear ya. I've been needing to do updates myself. Going to change hosts in the next couple of days so that I can update to the newest security requirements. Switching over to Magemojo. They're PCI compliant and focus on hosting magento stores.

Southern Jewel's Fab Finds

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 17139
  • Southern Jewel's Fab Finds
    • Pinterest
    • View Profile
    • Southern Jewel's Fab Finds
Thumbs up!

WayOutWest

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 8579
    • A3PDNI0CMSQZ2N
    • View Profile
    • WayOutWestUSA.com - Landstrom's Black Hills Gold Jewelry
I just spent a good chunk of the day pulling my hair out over trying to get outlook to connect to the email server for the new host.  I finally figured out what was going on.  By default, TSL1.0 is disabled, due to the new PCI compliance issues.  However, Outlook 2010 and older wont work without TSL1.0 being available on the server side of things. 

From my understanding, the completely disabling of TSL1.0 doesn't have to be done until July of 2018, so I (and the tons of other people using older versions of Outlook) have a year to get that resolved.  *phew*  edit - people are reporting that they are failing their PCI scans even though the date isn't here yet and that they're having to protest the results.

If all else fails, the workaround will be to host email on a separate server, such as godaddy email.

If you're unable to get your email client to connect to your new host, check into whether or not they have TSL1.0 disabled. 
« Last Edit: June 29, 2017, 02:25:08 PM by WayOutWest »

Southern Jewel's Fab Finds

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 17139
  • Southern Jewel's Fab Finds
    • Pinterest
    • View Profile
    • Southern Jewel's Fab Finds
I can only imagine how frustrated you were.
I have to wonder if this had something to do with my frustration with my hotmail email addy back earlier this year with my iPhone.
I didn't use outlook in the setup of the email for my iPhone...added it via a hotmail work-around.

Out of the blue I receive a message that my hotmail account is unable to connect on my phone.
Checked with my iPad...nope, can't connect.
No probs with my gmail(s).
No probs with my laptop nor my desktop.
Weird.

Thanks to posts on various forums, I found that I wasn't able to use the workaround for my hotmail any longer on my iPhone.
Outlook was required for my iPhone and iPad (and according to forums Android based phones were having issues also).

I don't know if this has anything to do with the TSL1.0 enabling or disabling but thought it might be worth mentioning.

 

WayOutWest

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 8579
    • A3PDNI0CMSQZ2N
    • View Profile
    • WayOutWestUSA.com - Landstrom's Black Hills Gold Jewelry
Spent tons of time trying to find how to get Outlook to not use TSL1.0, and FINALLY found it.  If your server has TSL1.0 turned off for PCI compliance, you can't use Outlook to access your emails, and you have Windows7 or higher, it's an easy registry fix.

run regedit
go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols
create key named: TLS 1.1
create another key named: TLS 1.2
inside of each of those, create a key named: Client
inside each of the Client keys, create a DWord value named: DisabledByDefault
leave value of each instances of DisabledByDefault set to 00000000
reboot the machine

now, in outlook, edit the email account(s) to where it uses TSL encryption for connecting to the account(s)

Another option is to simply use Thunderbird, the latest version of it has TSL1.1 and 1.2 enabled by default.

To simplify the process of editing the registry, I have attached files to fix it (for windows7,8,&10) for you.  Simply run the two attachments and they will add those keys/subkeys/and DWord values auto-magically

Thanks to RainingForks blog for the info on how to fix it
http://www.rainingforks.com/blog/2015/how-to-allow-outlook-to-connect-with-tlsv1-1tlsv1-2.html

« Last Edit: June 29, 2017, 10:01:08 PM by WayOutWest »

WayOutWest

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 8579
    • A3PDNI0CMSQZ2N
    • View Profile
    • WayOutWestUSA.com - Landstrom's Black Hills Gold Jewelry
A bit more on the TSL1.0 thing - I just came across the fact that unless you're letting Windows7 automatically do updates (which many people aren't) it reportedly doesn't have TSL1.1 or 1.2 support. 

Just think of all those people out there running 7 without latest updates.  Not to mention all the people that are still using XP or Vista. That's a huge customer base to be blocking out from ecommerce sites.

On the plus side, think of all the internet cafes in Nigeria and such that are still using older systems. That's a win  :P

Southern Jewel's Fab Finds

  • Administrator
  • Master Motivator
  • *****
  • Offline Offline
  • Posts: 17139
  • Southern Jewel's Fab Finds
    • Pinterest
    • View Profile
    • Southern Jewel's Fab Finds
I have a laptop that is still running Windows 7.
It's in a closet not being used, but I need to remember this should I boot it back up.
Plus, I just gave away a desktop tower that had Windows 7 on it that had been in the back of a closet for who knows how long?
I swear I'm not a hoarder...
<smile>

Yep alot of the internet cafe's are running older, older computer systems


  

Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf