An Encryption Upgrade Could Upend Online Payments

While ditching TLS 1.0 encryption will benefit the payments ecosystem, it'll be rough going for those with older devices.
An Encryption Upgrade Could Upend Online Payments
Alyssa Foote

At the end of June, digital credit card transactions are getting a mandatory encryption upgrade. It's good news—but not if you have an old device, or depend on a retailer that hasn't completed the transition.

When data moves from one device to another, it needs protection so it isn't intercepted and manipulated along the way. This defense is especially crucial, as you might imagine, for sensitive communications like financial transactions. And with credit card fraud booming, the Payment Card Industry Security Standards Council announced last year that it would phase out an old, buggy encryption scheme used for processing digital credit card transactions, called Transport Layer Security 1.0, in favor of more secure options. The deadline: June 30.

Though there are exceptions for merchants that run their own payment processing servers, organizations that use PCI-compliant commerce platforms—almost everyone—need to upgrade the encryption protocols on their websites and payment terminals if they haven't already. Running these updates should be pretty easy for a small business that has a couple of credit card readers and a website, but merchants need to know to do it in the first place. Large companies with thousands of payment terminals and a massive web presence face a more significant update challenge. With the deadline just weeks away, some are still scrambling. In the worst-case scenarios, those credit card transactions will simply stop going through.

"This update is a big deal in the e-commerce platform world, because every merchant is using unique integrations and needs to be up to date so transactions don't fail," says Jack Cravy, vice president of operations at the software provider AmeriCommerce, which has been working with customers to prepare for the transition. "A lot of these platforms that haven’t updated yet need to get on the ball pretty soon, or they’re going to be in hot water."

In addition to potential problems on the merchant side, older software and devices may not support the improved encryption protocols, meaning that transactions could fail on the user side as well. Independent of the push to secure credit card transactions, many sites have transitioned to more secure encryption in the past few years; if your device is that old, you've likely noticed it by now already. And even if you're running an ancient or poorly forked version of Android, or a musty iOS, you may be able to get around the problem if your device can run a fairly current browser that supports TLS 1.1 and 1.2.

If you're concerned that your device might not be ready for the shift, you can check what your browser supports with this tool from the cloud security firm Qualys.

The push in e-commerce to update encryption protocols mirrors broader efforts across the tech industry to standardize this type of data protection. The little green padlock in your browser, for instance, uses Transport Layer Security to connect web servers and your browser, authenticate both sides, and then prevent eavesdropping as data goes through the channel. Until now, digital payments could be processed with TLS 1.0, 1.1, or 1.2. But TLS 1.0, codified in 1999, has shown its age, and has known vulnerabilities to numerous attacks, including the not-cute POODLE bug. TLS 1.1 from 2006 and the popular TLS 1.2 from 2008 have their own problems, but at least eliminate some of the worst exposures of 1.0.

"In the winter of 2014 to 2015, there were a number of vulnerabilities discovered that allowed attackers to fully decrypt network traffic protected by TLS 1.0," says Kenn White, director of the Open Crypto Audit Project. "The problems are fundamental protocol design issues, not something that can be easily fixed."

Many merchants proactively upgraded past TLS 1.0 years ago, and the industry has had more than a year to prepare for the transition, which the PCI Security Standards Council describes as "critically important." Platform providers like PayPal and AmeriCommerce have offered support to customers, and have been running "smokescreens" for months in which they shut off TLS 1.0 support for an hour or so at a time to help merchants that still haven't upgraded realize the severity of the problem. As a result of this industry-wide push, customers likely won't experience problems transacting with the bulk of mainstream retailers, but there could still be issues with more peripheral organizations or those that don't have digital transactions at the core of their work.

"It will mostly just be a few stragglers that are using 1.0, but they may still do a lot of volume, so it’s hard to say that they’re not important and we've just been trying to warn them," AmeriCommerce's Cravy says. "It’s a weak protocol, there are known exploits for it, so it becomes a risk for fraud and information theft if you’re using it. It's a big deal."

As with any transition, observers expect some problems at first, but note that the move away from TLS 1.0 is worth it and long, long overdue—especially for web traffic where money's involved.


More Great WIRED Stories