Retail Implications to Sunsetting SSL 3 and SHA-1
Two security requirements issued by the major card brands (Visa, Mastercard, Discover, American Express) and the PCI Council (Card-brand owned self-regulatory body for the payment industry) will go into effect in 2017 and 2018 and will require action to ensure that credit card payments can still be accepted through your point-of-sale system.
In June 2017, older encryption standards, called SHA-1, will be depreciated by the payment processors. This encryption standard will be replaced by SHA-2 and SHA-3, which are more complex and provide a much greater level of security during encrypted transactions.
Further, in June 2018, all secure connections will be required to use TLS 1.1 or higher, instead of the current standard, SSL 3, when creating secure connections.
What are these technologies?
SHA is short for Security Hash Algorithm. It was developed by the United States National Security Agency (NSA) and is published as an encryption standard by the United States National Institute of Standards and Technology (NIST). In 2010, a researcher was able to expose the encryption in SHA-1 by spending around $3 Million US on cloud processing. In 2015, Using Amazon’s cloud-based EC platform, that amount was reduced to around $100,000 US. Due to the shorter timeframe and smaller financial investment necessary to compromise a SHA-1 encryption key, the US Government (mostly) phased out SHA-1 in 2010. In 2015, the PCI Council slated SHA-1 for depreciation in 2016, but that date was delayed until June 2017.
SSL 3.0, short for Secure Socket Layer, was launched in 1996. It is the protocol between systems (computers and servers) that secures connections. This is slightly different from SHA above, which is specific to the data being transported by this protocol. SSL remains in widespread use today, even though it has been depreciated by most standards as of late 2014 after a major flaw was located in October 2014. It’s replacement, TLS, (Transport Layer Security) was unveiled in 1999, and the current standard, TLS 1.2, was launched in 2008.
Both TLS and SHA-2 are considered acceptable encryption standards by the US Government and the PCI Council.
What does this mean for my business?
The most glaring implication is for legacy systems running older operating systems. iOS 8 and below, Andoird 4.0 and below, Windows XP and below all are without capability to run SHA-2 and/or TLS 1.2. This means that hardware or operating systems updates will be required. In addition, your point of sale software will need to be updated to account for SHA-2 and TLS 1.2 also.
Where can I get help?
If you’re struggling to make sense of the requirements, Flyght can help. Our customers are already slated for necessary upgrades, and will see no impact to services. We’re here to help, always, so just reach out with questions.