In a few days, First Data will start to disable the accounts of customers who access its systems over insecure connections.
The company has been sending out notifications and reminders for over a year about changes that will be made to its Datawire service beginning on February 15th.
If merchants have taken no action, it could mean that their processing ceases immediately.
To many, First Data’s move demonstrates industry leadership on addressing a clear-and-present danger. Other processors are expected to take similar steps in the coming months.
All of this is being driven by a deadline set by the PCI Council. The mandate states that, by June 30, 2018, card data must be transmitted using only the secure versions of what’s known as the Transport Layer Security protocol, or “TLS”.
In a nutshell, TLS protects the integrity of the data transmission between computers on an open network. When, for example, a consumer visits a website, behind the scenes the consumer’s client device and the website’s host systems employ TLS to validate the website’s authenticity and encrypt the communications channel.
TLS protocols are periodically updated by NIST, a governmental standards body. The updates are needed to remedy known vulnerabilities and to defense oncoming threats. Owners of hosts systems adopt a new TLS version by making changes to their server software and then inform customers of the date on which older versions of TLS will no longer be supported.
The PCI Council originally called for the industry’s switch to occur in 2016, but after a large outcry, it granted a two year extension. Processors don’t envision another extension and cannot risk PCI non-compliance.
So, very soon, they will begin to “flicker the lights” as a way to let merchants know that the TLS upgrade is a serious matter requiring attention.
Small businesses are particularly impacted.
That’s because large retailers are already compliant, while small merchants often resist technology upgrades on the grounds of “if it ain’t broke, don’t fix it”.
Well, it’s about to break… and on a very large scale.
Some processors and gateways believe that 50% of their connections are non-compliant. Wow!
What’s worse is that when merchants scurry to fix ancient technology, they will likely find that old terminals cannot be updated and some POS software companies have gone out of business. Merchant help desks will light up across the country as a result.
The timing of the situation bears consideration, too.
The TLS update will roil the small business community at the very same time that new chargebacks will hit. Visa and American Express are due to lift their temporary blocks on EMV counterfeit chargebacks in April.
The overlay of these disruptive circumstances could very well create new winners and losers in the marketplace.
Because RevChip was built from the ground up for EMV and Apple Pay, it benefits from a modern software architecture. RevChip runs TLS 1.2, the PCI Council’s recommended version, and is capable of automated field updates that enable a quick transition when the next TLS version becomes necessary.
EMV need not be a huge expense or a technology hassle. Merchants should be able to preserve their current POS marketing programs and start running Quick Chip EMV and Apple Pay in just a few days. If you agree, check out RevChip.