Recently, First Data began steps to disable the accounts of customers who access its systems over unsecure connections.
The company has been sending out notifications and reminders for over a year about the important changes that it is making to its Datawire communication service.
If merchants have taken no action, it could mean that their processing ceases immediately.
To many, First Data’s move demonstrates industry leadership on addressing a clear-and-present danger. Other processors are expected to take similar steps in the coming months.
All of this is being driven by a deadline set by the PCI Council.
The mandate states that, by June 30, 2018, card data must be transmitted using only the secure versions of what’s known as the Transport Layer Security protocol, or “TLS”.
In a nutshell, TLS protects the integrity of the data transmission between computers on an open network. When, for example, a consumer visits a website, behind the scenes the consumer’s client device and the website’s host systems employ TLS to validate the website’s authenticity and encrypt the communications channel.
TLS protocols are periodically updated by NIST, a governmental standards body. The updates are needed to remedy known vulnerabilities and to defense oncoming threats. Owners of hosts systems adopt a new TLS version by making changes to their server software and then inform customers of the date on which older versions of TLS will no longer be supported.
The PCI Council originally called for the industry’s switch to occur in 2016, but after a large outcry, it granted a two year extension. Processors don’t envision another extension and cannot risk PCI non-compliance.
So, very soon, they will begin to “flicker the lights” as a way to let merchants know that the TLS upgrade is a serious matter requiring attention.
Small businesses are particularly impacted.
That’s because large retailers are already compliant, while small merchants often resist technology upgrades on the grounds of “if it ain’t broke, don’t fix it”.
Well, it’s about to break… and on a very large scale.
Some processors and gateways believe that 50% of their connections are non-compliant. Wow!
What’s worse is that when merchants scurry to fix ancient technology, they will likely find that old terminals cannot be updated and some POS software companies have gone out of business. Merchant help desks will light up across the country as a result.
The timing of the situation bears consideration, too.
The TLS update will roil the small business community at the very same time that new chargebacks will hit. Visa and American Express are due to lift their temporary blocks on EMV counterfeit chargebacks in April.
The overlay of these disruptive circumstances could very well create new winners and losers among payment servicers in the United States.
Because RevChip was built from the ground up for EMV and Apple Pay, it benefits from a modern software architecture. RevChip runs TLS 1.2, the PCI Council’s recommended version, and is capable of automated field updates that enable a quick transition when the next TLS version becomes necessary.
RevChip is the most comprehensive and affordable EMV and Apple Pay software built for the U.S. market. It connects to major processors without a transaction fee and runs equally on Verifone and Ingenico devices. Using RevChip, merchants eliminate card data from their systems and shrink the burdens of PCI. The RevChip SDK provides POS developers with a quick and thorough integration without the hassles of middleware.
To learn more about how RevChip solves for EMV and Apple Pay, download our POS Developer Guide or reach us at (800)560-0415.