By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments. Note also that Nevada law requires compliance with the Payment Card Industry Data Security Standards (PCI DSS) with respect to Nevada cardholders.
The reason for the change is the PCI DSS – version 3.1, which was issued in April of 2015, required the upgrade by June 30, 2018. Encryption protocol TLS 1.0 dates back to 1999, and was vulnerable to a variety of cyberattacks, including POODLE in 2014. TLS 1.1 was issued in 2006, and TLS 1.2 was issued in 2008. Any server using any Windows Server version older than 2008 will not support either TLS 1.1 or 1.2, so upgrading encryption may involve more than a quick protocol fix. The PCI Security Standard Council has offered guidance on moving to higher encryption protocols, including an infographic.
Retailers who had previously upgraded their on-premises equipment with credit card chip readers have probably already seen fraudulent credit card charges decrease. As of February 2018, VISA reported that this type of fraud had decreased 70% in the U.S. as of September 2017, as compared to fraud reported in December 2015. Visa also reported that EMV (Europay, MasterCard, VISA) chip cards accounted for 96% of the overall payment volume in the United States in December 2017, with chip payment volume reaching $78 billion.Retailers who need to upgrade their encryption protocols have no time to waste. Retailers using third-party processors should check to make sure the processor will meet the deadline.
