Back in March, PCI Pal’s Rohit Upasani wrote a blog around TLS migration from SSL, but this isn’t the only area of concern for website owners! If you’re a Google chrome user, you may have noticed from the beginning of July, certain websites have become harder to find or are labelled as ‘not-secure’ in the URL bar. Google announced that as of 1st July 2018, it would flag all websites on the older, unsecure HTTP protocol as a way of driving website owners to upgrade the more secure HTTPS/ HTTP2 protocol. So, what does this mean for businesses and website owners? Let’s look at this in more detail.
Hypertext Transfer Protocol (HTTP) is the foundation of data communication for the world wide web. Essentially, it functions as a request-response protocol in the client-server computing model. For example, the web browser may be the client and a website may be the server. On its own, intercepting this information and therefore stealing data wasn’t difficult as it was sent as plain text. HTTP has been preceded by Hypertext Transfer Protocol Secure (HTTPS.) Rather than sending information in plain text, all communications between your browser and websites using it are encrypted using TLS or SSL. In the mid-1990s Netscape released Secure Sockets Layer Protocol (SSL) as a way of encrypting the data such as credit card information, usernames and passwords.
SSL was eventually replaced by Transport Layer Security (TLS) in response to several attacks such as BEAST and POODLE The differences between TLS and SSL are minimal but significant. They both rely on cryptography, but TLS is considered significantly stronger for protecting sensitive data such as credit cards. As of PCI DSS v3.1 (released April 2015,) SSL and early TLS are no longer examples of strong cryptography or secure protocols. As such, all service providers were required to migrate from SSL/ early TLS to TLS v 1.2 by 30th June 2018 to be PCI compliant.
At a time when cyber-attacks and data breaches are on the rise, it’s imperative that businesses take all necessary steps to ensure risk is minimized. Having an HTTPS certificate ensures that sensitive information is encrypted, but this is just one part of a much larger and complex set of standards. PCI DSS now requires evidence of year-round compliance, and when looking at the multiple ways in which payments are taken within businesses, de-scoping using solutions such as agent assist ensures no sensitive card data enters the contact center environment so there’s no data to lose.