In the early days of the Internet, before e-commerce was a major force, the simple browsers made use of an equally simple security protocol called Transport Layer Security (TLS version 1.0) based on the Secure Socket Layer (SSL) protocol. TLS 1.0 was intentionally modified to make it easy for multiple brands of browsers to work with web sites, which ultimately weakened the security. Now with hacking of financial and commerce webs sites at an all time high, TLS 1.0 is deemed a vulnerable protocol. The PCI Council has told payment card handlers to stop using this outdated version to stay within PCI compliance.
Global Security Coordination Necessary
As you can imagine, the payment card industry wants to maintain the highest level of security and thus is pushing for disabling TLS 1.0 and moving to TLS 1.1 or 2. For the Merchant, that means a customer using an outdated browser with TLS 1.0 soon won’t be able to connect to a secure web site. The good news is that at this time most modern browsers either don’t support SSL or have SSL support disabled by default. Between the end client choosing the browser and the regulators choosing security protocols, most of this battle is out of the tokenization providers’ hands, although we do have a voice into the matter through the PCI Council. What we are seeing at that level is a negotiation between retailers, web browser companies, and regulators. At the end of the day, we are at the mercy of the end client. My analogy is that a rising tide lifts all boats. As an industry we must all keep the security tide rising and eventually we will force the end clients’ browser to be upgraded.
PCI Compliance and Security Not Optional
At TokenEx, we have two guiding principles in this matter. First, we must stay in compliance with PCI, so we will disable old protocols as necessary. Second, security is essential so we will negotiate protocols at the most secure level and not allow a downgrade in protocol. For TokenEx, this is manageable because the majority of our transactions are server to server, so we don’t have the browser-compatibility challenges.
Disabling TLS 1.0
Finally, as for disabling of TLS 1.0, we will coordinate a similar strategy as when we previously completed the SSL transition. From our server side, we can determine who is using an outdated protocol, since many of our transactions are server to server, those are typically negligible if non-existent. For clients using our Hosted Payment Page tokenization technology we will coordinate the transition to TLS 2 and provide statistics on the number of clients connecting with outdated browsers. Fortunately, we believe that there are not too many people using old browsers to transact their financial business, so the impact should be minimal.
Dr. Jerald Dawkins is the CTO and Co-Founder of TokenEx and has extensive experience with secure coding and data security. Jerry is the author of multiple publications and presents at national and international conferences. He also holds the following certifications: CISSP, NSA IAM, and CNS 4011-4015. Jerry received his B.A. in Computer Science from Fort Lewis College in Durango, CO and his M.S. and Ph.D. Degrees in Computer Science from the University of Tulsa in Tulsa, OK.
Read this article for more on the TokenEx Browser-based Encryption solution. Click to edit your new post…