At the end of June, digital credit card transactions are getting a mandatory encryption[1] upgrade. It's good news—but not if you have an old device, or depend on a retailer that hasn't completed the transition.
When data moves from one device to another, it needs to protection so it isn't intercepted and manipulated along the way. This defense is especially crucial, as you might imagine, for sensitive communications like financial transactions. And with credit card fraud booming, the Payment Card Industry Security Standards Council announced last year that it would phase out an old, buggy encryption scheme used for processing digital credit card transactions, called Transport Layer Security 1.0, in favor of more secure options. The deadline: June 30.
'The problems are fundamental protocol design issues, not something that can be easily fixed.'
Kenn White, Open Crypto Audit Project
Though there are exceptions for merchants that run their own payment processing servers, organizations that use PCI-compliant commerce platforms—almost everyone—need to upgrade the encryption protocols on their websites and payment terminals if they haven't already. Running these updates should be pretty easy for a small business that has a couple of credit card readers and a website, but merchants need to know to do it in the first place. Large companies with thousands of payment terminals and a massive web presence face a more significant update challenge. With the deadline just weeks away, some are still scrambling. In the worst-case scenarios, those credit card transactions will simply stop going through.
"This update is a big deal in the e-commerce platform world, because every merchant is using unique integrations and needs to be up to date so transactions don't fail," says Jack Cravy, vice president of operations at the software provider AmeriCommerce, which has been working with customers