Credit Card Security – What You Need to Know About the TLS Update

SiteLink StandAlone, PCI requirements and staying ahead of the hackers

Threats to data security are becoming more common and sophisticated. Attackers are getting better at avoiding detection, and the rise in the sheer number of devices connected to the Internet make it statistically easier to find a point of weakness. Hackers are sure to be continuously looking for ways to infiltrate security protocols, and businesses need to do what they can to protect sensitive and valuable information.

New security protocols mandated

You may have recently been required to update your SiteLink StandAlone software to accommodate new security protocols. Or, you may have found that credit card payments suddenly don’t work at your facility. This is probably because the Payment Card Industry (PCI) rolled out new security protocol requirements for merchants who store or transmit sensitive information like credit card numbers over the Internet.

These new Payment Card Industry Security Standards Council (PCI SSC) requirements state that all payment systems must disable earlier versions of TLS security protocols and transition to TLS version 1.1 or preferrably 1.2. Older protocols (SSL and TLS 1.0) are highly vulnerable to security breaches.

What is TLS?

Transport Layer Security (TLS) is a set of rules, or protocol, that encrypts and authenticates Internet traffic between 2 systems, essentially making the transaction “confidential” and secure. Merchants who transmit sensitive information (i.e. credit card info) over the Internet rely on TLS to send this data securely. This set of rules was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s.

Weaknesses in early TLS and SSL

As eCommerce grew, hackers took advantage of vulnerabilities in early TLS/SSL and sensitive information was at times exposed. The POODLE attacks and Heartbleed bug are a couple of examples of how hackers exploited these weaknesses. With POODLE, attackers were able to gain access to passwords and other authentications to gain more complete access to a user’s private account data on a website. With Heartbleed, attackers could “trick” a web server into sending passwords, usernames and other sensitive data. Both were results of vulnerabilities in SSL/TLS or the implementation of the protocols.

In response to these known attacks and to ward off potential new ones, PCI and the Internet Engineering Taskforce (IETF) improved security with major upgrades to TLS protocol -TLS v1.1 and 1.2, stating that “the existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.” According to PCI, the best way to protect against today’s threats is by migrating to newer versions of TLS.

Who is affected by this change?

Self-storage operators who take credit cards in our StandAlone product (Web Edition is not vulnerable) need to be aware of these new requirements. SiteLink has notified its customers using SiteLink StandAlone software that they may need to update their software. If you’re using StandAlone, you may have received a postcard mailer, email or phone call regarding this issue. It needs to be addressed or your payment processing will simply stop working. Some payment gateways have already disabled access to less secure software and all of them will be doing so very soon. For example, Authorize.Net temporarily disabled connections to older TLS protocols for a few hours to help their customers identify issues on January 30, 2018 and again on February 8, 2018 with permanent disconnection Feb 28, 2018. The final deadline to comply is June 30, 2018.

What you need to do

If you’re using SiteLink StandAlone, you may need to take action. StandAlone was upgraded last year to version 4.24, which accommodates TLS version 1.2. Verify you are running version 4.24. If you aren’t, you’ll need to update for credit card payments to work.

If you are using SiteLink Web Edition, you don’t have to do anything. SiteLink has already ensured that the Web Edition and myHub you use every day to process credit cards is accommodating TLS 1.2.

Benefits of subscription software

Technology is constantly evolving, and updates – including ones involving security protocols – are inevitable. If you don’t want your business negatively affected by these issues, upgrading to SiteLink Web Edition is a great option. Cloud-based subscription models like Web Edition have many benefits to the consumer, one of the most important is providing all customers real-time updates that correct vulnerabilities such as TLS. SiteLink automatically updates the software in the cloud for you at regular intervals or as necessary.

With new vulnerabilities being identified daily, it’s important to take steps to ensure your data is safe. Cybercrime is on the rise, affecting more and more businesses and consumers alike. Some experts believe that SSL/TLS targeted attacks are increasing because of improved data encryption processes. In any case, you can be sure hackers are working very hard to find new ways to steal data—so be sure to partner with companies that prove they take data security seriously.