Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why You Should Get Familiar with TLS if You Accept Credit Cards


The group that manages the Payment Card Industry Data Security Standard quietly announced in February that an imminent update was coming to its payment card and application requirements related to the use of the SSL encryption protocol. Since then, there has been growing concern among merchants about what the changes mean to them.

The confusion among retailers generally can be boiled down to two questions:

1) What will the new updates require me to do?

2) What happens to my SSL certificates?

First let's explain what's going on: On Feb. 13, the PCI Security Standards Council informed its assessor community that SSL (Secure Sockets Layer) - a protocol designed to ensure that data provided between a web server and a web browser, such as credit card information, remains secure - is no longer an acceptable way to provide "strong cryptography." This is due to a number of known fundamental vulnerabilities - some of which, such as Heartbleed, we have documented here, here and here - that essentially make SSL, as an encryption mechanism, obsolete.

Last week, the council made the news official by offering additional information (PDF) in the form of an FAQ, including encouraging merchants to upgrade to SSL's successor, a much-stronger protocol known as Transport Layer Security (TLS). Think of TLS - the current version is 1.2 - as a more evolved version of SSL. With the migration, retailers are getting rid of the old stuff that doesn't work very well anymore.

The PCI council also stated that later this month it will publish an update (version 3.1) to the PCI DSS. An update to the Payment Application DSS (PA-DSS) is scheduled to follow. Merchants will be given a certain amount of time to implement the changes.

While the council doesn't plan to immediately crack the whip on retailers, many of whom are still getting comfortable with the 3.0 versions of both payment standards, businesses should become familiar with their new payment security responsibilities.

So let's go back to the earlier questions:

What will the new updates require me to do?

For merchants, such as e-commerce companies, accepting payments in card-not-present environments, they must disable SSL and configure their web servers to use the most recent version of TLS. If they outsource the management and maintenance of their commerce environment to a hosting provider, then that vendor will do this for them. Card-present merchants, on the other hand, must consult with their point-of-sale and payment application vendors to ensure the payment-acceptance software they are using is not communicating with the SSL protocol.

What happens to my SSL certificates?

Nothing, unless you have reason to believe that you were compromised with one of the recent SSL exploits. Your certificates are, essentially, files that store cryptographic key information and identification information for whom the certificate was issued. The SSL or TLS protocol is just part of the way the server defines the 'rules' for how that encryption is implemented into the conversation between the client and server.


Retailers of all types should stay on top of this developing situation, considering what we know about the dangers of SSL as an encryption protocol, as well as the fact that a business may be able to outsource certain commerce responsibilities to a third-party, but not its liability associated with a data breach.

So, those are the basics of what you need to know. If you have any additional questions or concerns, please leave them in the comments.

UPDATE (Jan. 19, 2016): The Payment Card Industry Security Standards Council (PCI SSC) announced in December that it is extending the migration completion date to June 30, 2018 for transitioning from SSL and TLS 1.0 communication protocols to a secure version of TLS (currently v1.1 or higher). The new date of June 2018 (replacing the June 2016 deadline) offers additional time to migrate to the more secure protocols, but waiting is not recommended.

Dan Kaplan is manager of online content and a former IT security reporter and editor.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More