Every company that accepts credit card payments on their website must comply with the Payment Card Industry Data Security Standard (PCI DSS). Conformity with PCI DSS guarantees the secure processing of online payments and cardholder information handling as well as serves as a reliable trustmark for customers sharing card data on a website order page. (Need a PCI DSS refresher? Check out PCI Compliance: What Every eCommerce Business Needs to Know to learn more about PCI requirements and how Oro can help you comply).
According to the recently updated PCI DSS regulations, all businesses accepting credit card payments online must discontinue the support for SSL/Early TLS cryptographic protocols and migrate to up-to-date TLS versions by June 30. Here’s how this change may affect your B2B eCommerce business.
How PCI DSS Requirements are Changing
As you probably know, the payment card industry has been using SSL (Secure Socket Layer) and Transport Layer Security (TLS) cryptographic protocols as secure forms of encryption. These protocols encrypted the payment and customer data exchanged between the server and browser to preserve information privacy and security. Hackers have learned to breach these controls, so SSL and early versions of TLS (below v.1.1) are no longer secure as they fail to ensure the highest attainable level of protection as required.
In order to stay PCI DSS compliant, businesses must migrate to the secure version of TLS protocol. The recommended TLS version is now v.1.2 or higher.
As a certified and PCI DSS-compliant solutions provider that maintains the highest security standards, Oro uses only TLS encryption protocols.
The steps B2B eCommerce businesses must take to comply with the new PCI DSS requirements and safeguard customer payment data depend on the application deployment method they use.
OroCloud User Compliance is Automatic
Because Oro is responsible for PCI compliance on our cloud infrastructure, we’ve already taken care of all upgrades and updates. There’s nothing you need to do on the client side. It’s just another benefit for customers with a cloud-hosted OroCommerce solution.
Actions On-Premise Users Should Take
Things look a bit different if you implement OroCommerce on-premise. There are a few changes you must make to set up your servers for compliance.
We suggest the following steps to comply with the new PCI DSS requirements:
- Confirm your hosting server is compatible with the recommended TLS protocol (version 1.2 or higher).
- Disable SSL and early TLS.
- Disable the server’s ability to fall back to SSL or TLS early versions.
- Use auxiliary tools to define which secure TLS version suits you best. For example, you can run a complex analysis of your web server security protocols and see which protocol best fits your needs and bandwidth here.
- Suggest to your customers that they upgrade their operating systems and browsers. Older systems or browsers may block access to your site after you migrate as they don’t support TLS versions higher than 1.0. Share this list of TLS 1.1-compatible operating systems and browsers to provide customers with more details.
Except for POS POI terminals, SSL protocol and early TLS can no longer be used as PCI DSS security controls after June 30, 2018. If you’re using OroCommerce on-premises, time is running out to upgrade the encryption protocols and comply with the new payment card industry data security standard and ensure secure payment processing on your B2B eCommerce website.