Because commonly used SSL (Secure Sockets Layer) and early TLS (Transport Layer Security) encryption are no longer secure, they increase vulnerability to data theft. Spurred by high-profile consumer and government breaches, the PCI SSC is requiring a change to a secure version of TLS, currently 1.1, although 1.2 is preferred. The TLS protocol’s goal is to provide a private exchange of data between two computer applications, such as a web browser and a server used to access a website.
Why Start Now?
More than two years may seem like plenty of breathing space. But, because of the potential challenges — and costs — of complying, government agencies should start formulating TLS migration plans now. In some cases, for example, agencies may need to replace computer equipment or upgrade operating systems and applications, and may have only one state budget cycle between now and the deadline to manage those costs.Government agencies should take these five steps to comfortably meet the 2018 deadline and help their constituents be ready for the change:
1. Evaluate whether internal systems can meet the new standard. To make sure your operating systems, browsers and applications can handle the transition, start by reviewing development notes on the way your system is designed, such as whether or not it is hard coded to work only with older encryption technologies. In addition, or if this information is not available, conduct “network sniffing,” which involves looking at traffic on the network to determine what protocols are being used when the network connection is established and whether they comply with the new PCI requirements.
2. Fully utilize your IT support staff’s expertise. In cases where operating systems and browsers are involved, ask infrastructure and desktop support personnel whether the operating system and browsers the agency is using will support the change to TLS. If your agency uses its own applications, ask your internal development staff how applications were architected, and ask third-party developers the same question about any apps they have created. Third-party developers, in particular, may not be thinking in terms of the PCI migration deadline, so the agency must be proactive to make sure none of its transaction-related systems get overlooked.
3. Engage service providers in your plans to meet the deadline. Providers who deliver payment-processing services to government agencies must support TLS v1.1 and higher by June 30, 2016 — a full two years before agencies must follow suit. Your third-party processor should be transparent with you about what it is doing to help you meet your 2018 deadline and should share its timeline for actions that affect your agency, such as when it plans to shut down connectivity of the older encryption technologies and whether or not it will meet the June 30, 2016, deadline.
Bottom line: Your agency needs to know what its service provider’s plans are to help you transition smoothly. If the service provider is working off a deadline that differs from the PCI deadline, you need to know what that date is.
4. Develop a plan to configure all systems to stop using SSL or early TLS. Your plan should define how you’ll solve the problem of any hardware, software, apps or browsers the agency now uses that aren’t compliant with the new PCI regulations. Check your browser’s capabilities here.
The plan also should address transition costs. How many desktop computers are still running an operating system that won’t support the migration? Do desktops and operating systems need to be replaced? For some agencies, the transition costs may be minimal, but those who have to replace hundreds of computers will face a different cost scenario. Creating a plan will help your agency budget appropriately.
Browser upgrades typically don’t require financial expenditures, other than the “soft cost” of resources to deploy a new version. If a third party developed and still supports the browser your agency uses, you should expect the service provider to upgrade its software to meet the PCI deadline as part of the maintenance cost.
Once a plan is developed, clearly communicate it to the appropriate staff members. Everyone involved should understand what the risks are, what the goals are and what the agency will be able to do (and not do) with the dollars and resources available.
5. Set internal deadlines to implement changes. Waiting until the last minute to make this transition creates significant risks. Besides the risk to losing, at least temporarily, the ability to accept electronic credit card payments, agencies could face added costs and potential disruption to revenue flows. To avoid these problems, agencies need to set incremental internal deadlines that ensure compliance by the PCI SSC conversion date.
Inform constituents of the change and how it affects them. Government agencies aren’t the only ones who may need to make changes to comply with the new PCI standards. Citizens do too. Unless their browsers and desktop computers support the new encryption levels, they won’t be able to make payments when connected to your agency’s online services come June 30, 2018.
So now is the time for your agency to start communicating to constituents about the upcoming PCI migration. One way to do this is a splash page that says something along these lines: “As of June 30, 2018, because of changes in payment card industry security standards, there will be functionality on our website that you no longer will be able to take advantage of if you do not upgrade your browser to a supported version.”
Making the transition to the more secure version of TLS will be no small task. To ease the process, plan for costs and ensure compliance by the 2018 deadline. The sooner you get started, the better.
Rob Harvey is lead security analyst for NIC Inc., a provider of digital government and secure payment processing solutions for more than 4,300 local, state and federal agencies across the United States. You may reach him at rharvey@egov.com. More information about NIC is available at www.egov.com.