Search This Blog

Monday, 18 April 2016

Are you securing your customer’s online transaction data?



If your eCommerce website allows shoppers to use credit card for online transaction, vulnerabilities in SSL and Early TLS could allow disclosure of shopper’s data in wrong hands. Due to widespread use of online shopping, online security has become critically important element for eCommerce website owners and small merchants.

What is SSL/TLS?

In 1994, Netscape introduced SSL (Secure Socket Layer). After fifteen years, SSL v 3.0 was superseded by TLS 1.0 and TLS 1.1 and now TLS v 1.2. SSL/TLS are protocols that are used to secure the integrity and confidentiality of the data transmitted through insecure environment by providing client server authentication and encrypting the messages between the authenticated parties.

After the recent POODLE attack, it has been found that SSL and early TLS do not meet the security needs that implements strong cryptography to protect payment data over public or untrusted communication channels.

How big is the Risk?

Despite being exposed to security vulnerabilities, SSL still remains one of the most widely-used encryption protocols. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

PCI declared that time is up and we should bid goodbye to Secure Socket Layout (SSL) versions which has been in the market for 20 years now and has been considered as the most widely used encrypted protocol ever released.

What is most important is PCI has revised their original sunset date for SSL and early versions of TLS to 30 June, 2016. In any case, the Council has come to this conclusion and stated in PCI DSS v3.1 that SSL versions and early TLS are no longer a secure protocol and are not an example of strong cryptography.

What you need to do?

As a business owner, you need to ensure that your website and the server is hosted on TLs 1.2 and SSL support has been disabled. Online customers’ needs to feel that their online transactions are secured else they will never purchase their goods and services from the owner’s website that do not follow the latest PCI compliance.

The bottom line is that the organizations should act immediately to remove all support for SSL and TLS 1.1 to avoid any real threat to payment data security. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

Additionally, modern web browsers will begin prohibiting SSL and Early TLS connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol like TLS 1.2. If a cardholder is using a deprecated browser based on TLS 1.0, the payment page will not be displayed to him. Thus, it is essential for the card holder to upgrade his web browser to the current TLS v1.2

All Major Payment gateways like PayPal, UPS, Fedex, Authorize.net, etc. has sounded a warning bell on the security breach and have already upgraded to TLS v1.2 to avoid any disruption of service.

So, if you do not want to lose your valuable online customers, migrate to TLS v 1.2 immediately.

9 comments:

  1. Thank you for the really useful article.
    Indeed, clients data security is a hot-button topic today. As far as I know, there are multiple solutions for this problem such as data room virtual services. I think those are necessary if someone needs a quality service.

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Online Training from India . or learn thru JavaScript Online Training from India. Nowadays JavaScript has tons of job opportunities on various vertical industry. ES6 Training in Chennai

      Delete
  2. As for me it is important to have a good software for your business. I've been using this service software https://jitbit.com/ . He helped me to automate the work and do not pay attention to small things. This software does a lot of that on their own. The money I gave for it paid off very quickly.

    ReplyDelete
  3. Keep your data in safe place far away from hackers.
    security-online

    ReplyDelete
  4. One of the things that concerns a lot of people when they buy anything online is that they cannot be sure what they are getting, this is true of software as much as anything. http://www.ggetintopc.com

    ReplyDelete
  5. Online Shopping is the latest emerging trend in Indian Market which will provide a lot of comfort to customer with their shopping habits. online shopping in India

    ReplyDelete