PCI Data Security Standard team has stated that 30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. Due to this happening, we thought it best to inform some of our readers of what exactly TLS is and how it affects your online store.
TLS stands for Transport Layer Security and is a protocol organized by the OSI (Open Systems Interconnection) model.
There are 7 layers to the OSI model:
1. Physical
2. Data
3. Network
4. Transport
5. Session
6. Presentation
7. Application
Where TLS Fits: Transport (Layer 4)
OSI Model, Layer 4, provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end error recovery and flow control. It ensures complete data transfer.
TLS basically is the handshake that the SSL provides. It’s the secure protocol that helps prevent traffic through the web from being intercepted, listened to or altered during transport from host to client.
The Handshake
The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and the client presents a list of supported cipher suites (ciphers and hash functions). From this list, the server picks a cipher and hash function that it also supports and notifies the client of the decision.
The server usually then provides identification in the form of a digital certificate. The certificate contains the server name, the trusted certificate authority (CA) that vouches for the authenticity of the certificate, and the server's public encryption key. The client confirms the validity of the certificate before proceeding.
Session Keys
A session key is a single-use symmetric key used for encrypting all messages in one communication session. To generate the session keys used for the secure connection, the client either:
- Encrypts a random number with the server's public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then use the random number to generate a unique session key for subsequent encryption and decryption of data during the session.
OR
- Uses Diffie–Hellman key exchange to securely generate a random and unique session key for encryption and decryption that has the additional property of forward secrecy: if the server's private key is disclosed in future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fails, then the TLS handshake fails, and the connection is not created.
Confused?
Don’t be. That’s why AmeriCommerce is here to help our merchants every step of the way and to make sure online stores continue to be safe, secure, and ahead of the curve so you can focus on what matters most - selling stuff!
Happy Selling!
-AmeriCommerce Team