Business Related Forums > * General Online Selling Questions & Issues

Use PayPal cc processing for website? Deadline to quit using TLS1.0 approaching

(1/2) > >>

WayOutWest:
The most secure protocol for sharing information on the web today is Transport Layer Security (TLS) version 1.2. PayPal enabled support for TLS 1.2 for all secure connections and last year began requiring its use. If you haven't already done so, you will need to verify that your environment supports TLS 1.2 and if necessary make appropriate updates. PayPal is updating its services to require TLS v1.2 for all HTTPS connections by June 30th of this year (2017). After that time, all TLS v1.0 and TLS v1.1 API connections will be refused.

These updates are part of an industry-wide initiative to improve security standards. Some of these updates, like the TLS upgrade, are mandated by the PCI Security Council and are required by every website that transmits or processes cardholder data.

Merchants and developers may have to update their applications and integrations in order to be in compliance and ensure that their applications continue to function as expected.

Src: https://devblog.paypal.com/upcoming-security-changes-notice/

For more information please visit:
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

The deadline for all merchants to stop using SSL and TLS 1.0, and be fully switched to TLS1.1 (or higher), and still be PCI compliant, is June of 2018 (the original deadline was June of 2016) https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_(002).pdf

In addition, the PCI Council has stated that web browsers will begin prohibiting SSL connections in the near future.

The other part of this is that there are tons of people out there still using older browsers, many of which can't even use TLS1.1, much less TLS1.2.  For example, IE versions prior to v11 either can't natively use  TLS1.1, or don't have it enabled.  All of the people still using XP and Vista?  Even if they update to IE9, they don't have TLS1.1 capability, much less TLS1.2.  IE in Windows 7 & 8 has access to both, but they're disabled by default unless the user updates to IEv11.   A complete chart of browsers and what versions of TLS they have can be found at https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

To enable TLS1.1 & 1.2 on your browsers, the U.S. State Dept. has easy to follow directions.  The directions are actually for enabling TLS1.0, but it gets you to the right spot for enabling 1.1 and 1.2.   https://travel.state.gov/content/dam/aa/pdfs/directions_for_enabling_tls.pdf

You can also check your browser's TLS capabilities by viewing the page at https://www.ssllabs.com/ssltest/viewMyClient.html

Southern Jewel:
Thanks!
Been meaning to look into this...needed that bump.

WayOutWest:
Welcome. Hear ya. I've been needing to do updates myself. Going to change hosts in the next couple of days so that I can update to the newest security requirements. Switching over to Magemojo. They're PCI compliant and focus on hosting magento stores.

Southern Jewel:
Thumbs up!

WayOutWest:
I just spent a good chunk of the day pulling my hair out over trying to get outlook to connect to the email server for the new host.  I finally figured out what was going on.  By default, TSL1.0 is disabled, due to the new PCI compliance issues.  However, Outlook 2010 and older wont work without TSL1.0 being available on the server side of things. 

From my understanding, the completely disabling of TSL1.0 doesn't have to be done until July of 2018, so I (and the tons of other people using older versions of Outlook) have a year to get that resolved.  *phew*  edit - people are reporting that they are failing their PCI scans even though the date isn't here yet and that they're having to protest the results.

If all else fails, the workaround will be to host email on a separate server, such as godaddy email.

If you're unable to get your email client to connect to your new host, check into whether or not they have TSL1.0 disabled. 

Navigation

[0] Message Index

[#] Next page

Go to full version