SMBs at Risk When Not TLS Compliant
The July 1, 2018 deadline for implementing the newer versions of TLS has passed, and according to experts, nearly one third of small merchants don’t have these protocols in place. Even after years of notice, many merchants still don’t meet the new requirements resulting in merchant acquirers, processors, and networks working continuously to bring merchants up-to-speed and make sure they are PCI compliant.
According to Michael Aminzade, vice president of global compliance and risk services for Trustwave Holding Inc., there are two main reasons why TLS adoption is lagging among smaller merchants. The first is the lack of financial resources to become compliant, and the second is because compliance has not become an important part of their business culture.
Who Is Enforcing This New Standard?
Merchant acquirers oversee enforcing the new standard, which will determine whether these non-compliant merchants will be allowed to accept card payments moving forward. For brick and mortar merchants, the connection between a POS terminal and the processor will be used to determine whether they can continue to accept card payments or not. It all depends on whether the connection is vulnerable to hackers. If the connection is vulnerable, that brings up the issue of compensating controls to fortify known weaknesses, according to digitaltransactions.net.
Troy Leach, chief technology officer of the PCI Council, says that “if compensating controls are considered after July 1, the risk of exposing the information needs to be eliminated, for example, by encrypting data before it goes over the SSL/TLS connection or, alternatively, tunneling the SSL/TLS connection inside a VPN [virtual private network] that uses strong cryptography”.
So How Does It Affect My Business?
Without taking the measures to ensure the correct version of TLS meets the proper PCI standards, SMBs are at risk of being hacked. And more importantly, these same merchants may be unable to process transactions which would impact business success.
What Do Merchants Need to Do?
Merchants should call their website developer, web-hosting provider, or software/POS provider to ask them:
- “Does my website, shopping cart, software, or POS support TLS version 1.2?”
- If not, your provider will need to enable the proper protocols to support TLS 1.2.
- If changed, you should test your system for proper functionality.
Is Your Business PCI-Compliant? Find Out:
Contact us online or call 1-800-621-8931.
Subscribe to Card Talk
Our monthly newsletter delivers the latest payments news straight to your inbox