PayPal, like many payment vendors, is “updating its services to require TLS 1.2 for all HTTPS connections.” Even non-payment vendors such as UPS are making the switchover. What is TLS, does it affect me as I browse the web, and who/what is driving this change?
What is TLS?
Most of us understand to look for a secure URL (e.g. https://) on a web page before we enter sensitive information like a password or credit card number. Having the ‘s’ indicates that the page will receive your data securely via an encrypted communication between your browser and the server hosting that page. The more techie folks may know that the secure communication protocol originally used was called SSL (Secure Sockets Layer) and more recently TLS (Transport Layer Security.) Most of us may not realize that behind the scenes the protocols used for encrypting have been steadily updated to be even more secure. The latest and greatest update is for TLS version 1.2.
We all want the best security possible so, yay! — browsers, web servers, payment gateways, let’s all use TLS 1.2! Yes, that is a good idea and that is what is currently in process to happen. However, every piece of software involved in your web surfing experience needs to be updated to support the latest protocol. For a few years now the newest versions of your web browser as well as many web servers have supported TLS 1.2 (as well as earlier versions of TLS and even SSL.)
Am I Affected?
As a web surfer, there is nothing you need to do as long as you have updated your web browser in the past few years (it is always good to keep your browser updated!) Likewise, most hosting providers are running a web server that supports TLS 1.2. The sticky point for end-to-end TLS support has been the payment gateways. It is a lot of work to upgrade their payment software and to ensure all 3rd-parties that communicate with their software support TLS 1.2. This includes Shopping Cart vendors and others. You don’t want to turn off support for protocols earlier than TLS 1.2 and have shoppers and merchants running older software mad that they cannot make online payments! Fortunately, this transition has been expected for several years now. In fact, PayPal originally announced the switchover for June of 2016, now it is scheduled for June of 2018.
Why TLS by June 2018?
What is special about this June for the switchover date? June 2018 is the deadline mandated by the Payment Card Industry (PCI) Security Council. The PCI council is sponsored by Visa and the other credit card companies and sets the standards that payment vendors like PayPal must adhere to. Not only does what they say carry a lot of weight, but payment vendors could face fines if they do not follow the recommendations.
Will Online Shopping be Disrupted?
What can we expect to happen after June 2018? A few shoppers will probably encounter online shops running older software and therefore not be able to complete an order. This was the experience at some shops using payment vendors that have already made the switchover. While all your big sites like Amazon, Wal*Mart, and others will not have a problem, there will be smaller merchants that have not kept their Shopping Cart software up to date. Luckily, most merchants are already running up to date software. For example, our Shopping Cart software — ShopSite version 12 sp2 r4 — has supported TLS 1.2 for nearly 2 years. Plenty of time for a merchant to plan and complete an upgrade. Of course, as soon as any merchant realizes their orders have stopped they will quickly update their site, so most of us will not see any problems at all!
Unless you, as a user, are running a really old web browser there is nothing that you need to do. As a merchant, you should check with your shopping cart vendor to ensure that you are running a version that will support TLS 1.2.
David A. Hills is CEO of ShopSite, Inc. which develops ShopSite shopping cart software used by thousands of merchants.