August 14, 2017
Authored by: Bryan Cave and Stanton Koppel
Retailers are still feeling the pain from implementing EMV-compliant POS systems. An article by Kate Fitzgerald in the PaymentsSource Technology newsletter (August 8, 2017) caught our eye. The gist of it is that the PCI-DSS standard for data transmission will change in June of next year. Card network rules require Acquirers to require their merchants to comply with the PCI-DSS standard and the companion PA-DSS standard, so this change will leave them out of compliance if they have not implemented a newer version of the data transmission security standard.
There is not a liability shift in the rules specifically related to the new standard, but merchants will be subject to fines and the deficiency will become apparent when they undergo their periodic security audit after the June 30 date. However, the old standard is being dropped by the Payment Card Industry Security Standards Council because it leaves the POS systems still using it vulnerable to hacking. Now the hackers will be probing to find big systems that have not upgraded to the less porous technology.
According to Fitzgerald:
- “Most merchants are still relying on the 1.0 version of the payment encryption method known as Transport Layer Security (TLS), but hackers have so thoroughly exploited it that the Payment Card Industry is withdrawing support for that version on June 30, 2018, and processors will follow suit immediately.
- “Switching to one of two more recent supported versions of the encryption protocol—either TLS 1.1 or TLS 1.2—should be relatively simple. But many merchants are held back by their use of older computer hardware and Windows operating systems prior to Windows 7.”
Retailers and other merchants should alert their tech staff and perhaps ask their card processors whether they are or will be compliant.
For questions or more information contact the author, Stanton Koppel, at Stanton.Koppel@BryanCave.com or 415-675-3437.