What is TLS and How Does It Affect My Customers?

Posted on April 24, 2018, 11:49 am, by David Hills and received No Comments ».

PayPal, like many payment vendors, is “updating its services to require TLS 1.2 for all HTTPS connections.” Even non-payment vendors such as UPS are making the switchover. What is TLS, does it affect me and my customers,  and who/what is driving this change?

 

 

What is TLS?
Most of us understand to look for a secure URL (e.g. https://) on a web page before we enter sensitive information like a password or credit card number. Having the ‘s’ indicates that the page will receive your data securely via an encrypted communication between your browser and the server hosting that page. The more techie folks may know that the secure communication protocol originally used was called SSL (Secure Sockets Layer) and more recently TLS (Transport Layer Security.) Most of us may not realize that behind the scenes the protocols used for encrypting have been steadily updated to be even more secure. The latest and greatest update is for TLS version 1.2.

We all want the best security possible so, yay! — browsers, web servers, payment gateways, let’s all use TLS 1.2!  Yes, that is a good idea and that is what is currently in process to happen.  However, every piece of software involved in your web surfing experience needs to be updated to support the latest protocol.  For a few years now the newest versions of your web browser as well as many web servers have supported TLS 1.2 (as well as earlier versions of TLS and even SSL.)

Am I Affected?
As a web surfer, there is nothing you need to do as long as you have updated your web browser in the past few years (it is always good to keep your browser updated!) Likewise, most hosting providers are running a web server that supports TLS 1.2. The sticky point for end-to-end TLS support has been the payment gateways. It is a lot of work to upgrade their payment software and to ensure all 3rd-parties that communicate with their software support TLS 1.2. This includes Shopping Cart vendors and others. You don’t want to turn off support for protocols earlier than TLS 1.2 and have shoppers and merchants running older software mad that they cannot make online payments! Fortunately, this transition has been expected for several years now. In fact, PayPal originally announced the switchover for June of 2016, now it is scheduled for June of 2018.

Why TLS by June 2018?
What is special about this June for the switchover date? June 2018 is the deadline mandated by the Payment Card Industry (PCI) Security Council. The PCI council is sponsored by Visa and the other credit card companies and sets the standards that payment vendors like PayPal must adhere to. Not only does what they say carry a lot of weight, but payment vendors could face fines if they do not follow the recommendations.

Will Online Shopping be Disrupted?
What can we expect to happen after June 2018? A few shoppers will probably encounter online shops running older software and therefore not be able to complete an order. This was the experience at some shops using payment vendors that have already made the switchover. While all your big sites like Amazon, Wal*Mart, and others will not have a problem, there will be smaller merchants that have not kept their Shopping Cart software up to date. Luckily, most merchants are already running up to date software. For example, our Shopping Cart software — ShopSite version 12 sp2 r4 — has supported TLS 1.2 for nearly 2 years. Plenty of time for a merchant to plan and complete an upgrade. Of course, as soon as any merchant realizes their orders have stopped they will quickly update their site, so most of us will not see any problems at all!

Unless you, as a user, are running a really old web browser there is nothing that you need to do. As a merchant, you should check with your shopping cart vendor to ensure that you are running a version that will support TLS 1.2.

Is PayPal Occasionally Failing because of TLS Testing?

Posted on March 9, 2018, 1:39 pm, by David Hills and received 1 Comment ».

PayPal has announced that they will require the secure communications protocol — TLS 1.2 — by June 2018.  However, they will be periodically testing on live stores starting in March* and continuing until the switch over.  Here’s part of the message they are sending to their merchants:

Please note, over the next few months, PayPal will conduct several rounds of testing to emulate the upgraded security experience so merchants can understand the areas of their integration that still requiring security protocol upgrades.  If you have already made the required upgrades as outlined on the 2017-2018 Merchant Security Microsite, your PayPal integrations will not be impacted.  If you have not made the required upgrades, we encourage you to do so as soon as possible to avoid service interruption that may occur during our security upgrade testing activities.

Dates for these tests and full deployment will be published on our Merchant Security Upgrade Testing page at least two weeks prior to implementation so please bookmark and return frequently for the most up to date information.

Typically the requirement to only accept TLS 1.2 will last for about an hour.  However, the timing of that hour can be during your busiest hours! 

Am I Affected?

If you are using ShopSite version 12 sp2 r4 or greater (12 sp3 for Windows Servers) you are good to go.

The current release of ShopSite at the time of this post is version 14.0.  Here’s what it looks like in version 12 at the bottom lower left of the screen.

This store would need to upgrade since it is running version 12 sp2 r2.3

In addition, PayPal is also emailing its merchants based on what their servers see when an order comes from your site.  The emails typically have this information:

Our records indicate that you still need to make some critical security upgrades to your systems as well. If you see a “YES” next to a security change, your integration must be updated to accept these new security measures by the date specified:

• TLS 1.2 and HTTP/1.1 Upgrade – Complete by June 2018
Update Needed: No

• IPN Verification Postback to HTTPS – Complete by June 2018
Update Needed: No

• Discontinue Use of GET Method for Classic NVP/SOAP API’s – Complete by June 2018
Update Needed: No

• Merchant API Certificate Credentials Upgrade – Complete by September 2018
• Please note that this may be completed earlier based on the expiration date of your certificate.
Update Needed: Yes

In the above message, everything is good except for the API Certificate Credentials.  The API Certificate is actually something that you need to do every 3 years (for PayPal Express or PayPal Payments Pro).  You generate your cert on PayPal’s site and then copy it into ShopSite’s configuration screen for PayPal.

Because they do expire, we recommend that you switch to the API Signature Credentials instead.  If you do switch you will need to delete the certificate on PayPal, generate the signature and then update the configuration in ShopSite.  Either method can be used for validating your account.

Other Services Affected by TLS 1.2?

Authorize.Net, First Data, and UPS have recently made the switch over.  View this kbase article to see what other service providers have announced switchover dates.  Since the PCI (Payment Card Industry) deadline is June 30, 2018, everyone will be requiring TLS 1.1 or 1.2 by then.

For more on TLS and why it is being required and by whom, see this blog post.

*PayPal now says that testing will begin in April.
 

Tags: , , ,

Authorize.Net Will Stop Working on Feb 28, 2018 in Older ShopSite Versions

Posted on February 22, 2018, 1:26 pm, by David Hills and received No Comments ».

Another service provider (Authorize.Net) will be “flipping the switch” to require TLS v1.2 on Feb 28, 2018.  When that occurs, older versions of ShopSite (v12 sp2 r3 and earlier) will no longer be able to communicate with Authorize.Net for credit card processing.  Authorize.Net is one of the larger payment gateways so this switchover could affect a number of merchants.

What Version Am I Running?

To see what version of ShopSite you are running, log in to ShopSite and look at the footer. If you see “12 sp2 r4” or greater, you are good to go.  The current release of ShopSite at the time of this post is version 14.0.  Here’s what it looks like in version 12 at the bottom lower left of the screen.

This store would need to upgrade since it is running version 12 sp2 r2.3

Other Services Affected by TLS 1.2?

Beside Authorize.Net, First Data and UPS have recently made the switch over.  The next big payment gateway to make the switch is probably PayPal.  They are currently scheduled to switch on June 30, 2018.  View this kbase article to see what other service providers have announced switchover dates.  Since the PCI (Payment Card Industry) deadline is June 30, 2018, everyone will be requiring TLS 1.1 or 1.2 by then.

For more on TLS and why it is being required and by whom, see this blog post.

 

 

« Older Entries
Newer Entries »
ShopSite Online Shopping Cart Software BlogShopSite Online Shopping Cart Software On YouTubeShopSite Online Shopping Cart Software On TwitterShopSite Online Shopping Cart Software On FacebookQuestions?888-373-4347E-commerce Blog