PCI-DSS – Customer Action Required

By Peter Marsh, NEWSCYCLE Solutions, Vice President of Product Marketing

For more than 20 years, Secure Sockets Layer (SSL) has been one of the most widely-used encryption protocols. It remains in widespread use today despite existence of a number of security vulnerabilities and being deprecated by NIST (National Institute of Standards and Technology) in 2014. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS.

In April 2015, after extensive marketplace feedback, PCI SSC removed SSL as an example of strong cryptography from the PCI Data Security Standard (PCI DSS) version 3.1, stating that it can no longer be used as a security control after 30 June 2016. During the implementation period of PCI DSS 3.1, PCI SSC continued to seek feedback from the market, and has now revised and updated sunset dates.

PCI DSS has issued a new date that offers some additional time to migrate to more secure protocols, but waiting is not recommended. We are already hearing from customers that their respective credit card vendors are exiting the business before the compliance deadline. Also, if a change is needed that requires changes to your NEWSCYCLE system(s), you need to get in the queue as quickly as possible. In addition, the existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.

This change by PCI DSS will have an impact on NEWSCYCLE software when it comes to the credit card interfaces used to communicate with the various vendors. The specific change is related to the version of TLS protocol used within the credit card interfaces. With this change there are certain requirements related to OS, versions of .NET installed on systems and the version of the IE browser used for hosted order page credit card interfaces. Please contact your specific credit card vendor for the exact date they plan to do the cutover to the new security protocols to plan software changes accordingly.

Some credit card processing vendors have indicated that they will not be supporting these software changes, and instead will be closing down their business units. Therefore, it is imperative that you contact your vendor immediately. Failure to make these software changes by the set date of your credit card vendor will result in your inability to process credit card payments in NEWSCYCLE software.

You can also please feel free to reach out to us directly if we can assist you in this process in any way.

Recent Posts

Digital Platformation

When it comes to digital transformation in the news media industry, there’s no need to belabor the backstory. It started back in the day when our publishers told us, “We need to get on the web, pronto.” This was circa 1995, when people still said “pronto” and some of us actually used the phrase “information highway” to describe this new internet thing. read more

PCI-DSS – Customer Action Required

For more than 20 years, Secure Sockets Layer (SSL) has been one of the most widely-used encryption protocols. It remains in widespread use today despite existence of a number of security vulnerabilities and being deprecated by NIST (National Institute of Standards and Technology) in 2014. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. read more