Transport Layer Security
What is all this about?
Earlier this year, the Payment Card Industry (PCI) updated its Digital Security Standard (PCI-DSS). In the update, it was determined that all versions of the Secure Socket Layer (SSL) and early versions of the Transport Layer Security (TLS) encryption mechanisms are insecure and should not be used. This change in security standard will necessitate changes in nearly all commercial websites that transact in credit cards or handle sensitive information. The need for the change in security standard is evidenced by some fairly high profile vulnerabilities/attacks that have been published earlier (BEAST, FREAK, POODLE, Heartbleed, etc.).
Merchants has supported TLS v1.1 and TLS v1.2 for some time. However, support for TLS v1.0 will soon be ending. Consequently, Merchants is moving to complete the final stage of this transition.
Beginning on Thursday, March 31, 2016, Merchants Information Solutions, Inc. will no longer support an early version of TLS (v1.0). Your browser will need to be reconfigured to utilize at least TLS v1.1 (TLS v1.2 is much preferred).
How do I discover what security mechanisms my browser can support?
Qualys (through their SSL Labs project) provides a very nice utility to you can use to test the security settings of your browser. Another such utility is HowsMySsl. Use either or both of these utilities to discover what your browser supports.
OK, now I know that I need to reconfigure. How do I do that?
If you have a help desk or technical support function at your company, they should already know how to perform this update for you and are the preferred means of making a change to your system. If you are self-supported, DigiCert provides a nice step-by-step covering all of the major browsers for how to disable SSL v3.0 (which many browsers still support). Follow the pattern articulated in these steps (disabling SSL v3.0 and TLS v1.0 while at the same time enabling TLS v1.1 and TLS v1.2) to reconfigure and secure your browser.
Do be aware that some systems cannot support TLS v1.1 or TLS v1.2. Older operating systems like Windows XP cannot be reconfigured. Microsoft has dropped support for Windows XP and older versions of the operating system some time ago and recommends that users of those systems upgrade; we agree.
I have reconfigured my browser. How do I know if it will work properly on the Merchants sites?
Go back to the SSL Labs test site or HowsMySsl to verify your new reconfiguration. This will tell you if it supports TLS v1.1 and/or TLS v1.2 (required by the Merchants sites).
Since reconfiguring my browser, I am able to successfully visit the Merchants websites. However, there is one or more Internet websites (unrelated to Merchants) that I can no longer view. How do I configure my browser to both view the old websites and continue to access Merchants websites?
Most commercial websites currently support TLS v1.1 and TLS v1.2 most notably those that transact in financial or other sensitive data (like online banking or online shopping). However, there may be a few that continue to depend on the older insecure versions. Due to the risk of data loss through the use of older insecure versions, we recommend that you not visit those sites until the sites add support for TLS v1.1 and TLS v1.2. It is possible to configure the browser to use both the secure and the insecure versions, but we strongly caution against doing so.
Now that my browser is secure, I am worried about the website that my company operates. How to I test if it is properly configured?
SSL Labs also provides a free evaluation of websites. You might consider using this as one of the tools to assess your ability to protect your customers’ data.