TLS 1.2: Will your e-commerce website be able to accept payments after imminent changes to payment gateways?

The Payment Card Industry (PCI) Security Standards Council has been planning for a while now to make online payments made via payment gateways more secure by improving encryption.

It announced measures that require all payment gateway providers to upgrade their encryption from Secure Sockets Layer (SSL) to Transport Layer Security (TLS). Providers have been told they must upgrade to at least TLS 1.2 because “the vulnerabilities within SSL and early TLS are serious and left unaddressed put organizations at risk of being breached”.

This was due to be implemented by the end of June 2016, but that date was extended until 30 June, 2018, when it became clear that such widespread changes and phasing out of the long-standing SSL protocol was going to take longer than initially planned.

Although the deadline is now more than a year away, many gateway providers have decided not to wait and press ahead with upgrading their systems as soon as possible.

Realex Payments will implement the changes on 13 April, 2017, or 8 August, 2017 (depending on which of their systems you are using), while PayPal has announced it will upgrade on 30 June, 2017.

If you use these or any other third-party payment gateways, you will probably have been receiving emails from the provider to inform you what they are planning.

What you need to do

The upshot is that your server will need to support TLS 1.2 by the time your provider implements the changes in order to continue accepting payments. Depending on which operating system your site is hosted on, an upgrade might be necessary.

If you’re running Ubuntu 12.04+, TLS 1.2 is supported out of the box.

Windows Server 2008 R2 also supports TLS 1.2, but you might need to change a registry setting and reboot the server in order for it to work correctly.

Older operating systems might not support TLS 1.2 and it cannot be added retrospectively so, in order to continue accepting payments via payment gateways, you will need to migrate your website to a new server.

Tibus customers who accept online payments via a third-party payment gateway can contact us via the usual support channels. We will check your website and server, and provide information on any action that needs to be taken.