A Brief History
In May of 2014, the National Institute for Standards and Technology (NIST) revised its security guidelines for servers supporting unclassified yet sensitive US security information (thanks Edward Snowden). The update stated that by the beginning of 2015 these servers should be configured to support TLS 1.1 and TLS 1.2 and that they should no longer support TLS 1.0, SSL 2.0 or SSL 3.0.
The Payment Card Industry Security Standards Council (PCI SSC) followed suit in April of 2015, releasing an updated version of their PCI Data Security Standards (PCI DSS) advising providers in the payment card industry that they’re required to upgrade their systems to meet the new standards by June 2018 (originally June 30, 2016).
Developed by Netscape in the mid 90s, SSL predates TLS which was written by Christopher Allen and Tim Dierks of Consensus Development in 1999 as a replacement to SSL 3.0. Unfortunately TLS 1.0 includes the ability to downgrade the connection back to the less secure SSL 3.0, making it unacceptable for transmitting payment card data.
What is SSL and TLS?
SSL and TLS are acronyms that stand for Secure Socket Layer and Transport Layer Security (respectively). But, what do they mean? In technical speak, both are encryption protocols used to create and maintain a secure channel of communication and to authenticate the identity of the communicating end points (snore).
In plain language, or as I like to refer to it “spy language”, this means scrambling a message while it's being delivered, so that if an evil villain intercepts it, they won’t be able to read it, thus foiling their plans to destroy the universe (insert maniacal laughter).
A more relevant example you ask? Fine - when a customer uses one of your ATMs to withdraw some cash, the ATM sends a request to the transaction provider. The SSL or TLS encryption protocols scrambles the message during delivery and validates the customer and the transaction providers identity before approving the request and allowing the ATM to dispense the money.
Why are service providers being asked to upgrade?
Service providers in the payment card industry are being asked to upgrade their systems because SSL and TLS 1.0 encryption protocols have been identified as being vulnerable. Upgrading will reduce the risk to recent cyber attacks with edgy names like HeartBleed, FREAK, POODLE (maybe not the edgiest of cyber attack names), and BEAST viruses which could potentially put cardholder's personal financial information at risk during the transaction process.
How could this impact IADs?
After June 2018 any ATMs that have not been upgraded to meet the PCI DSS may no longer be able to process transactions. Having your ATMs go offline will result in lost revenue and a poor customer experience for anyone who visits your ATM while it's down, decreasing the likelihood of them becoming a repeat customer.
What can ATM business owners do to protect their businesses and customers?
If your ATM is connected to the internet via a merchant's local area network (LAN), it's your responsibility to ensure that your ATM's operating system is updated to TLS 1.1 or TLS 1.2.
If you're using a wireless modem other than DPL's Hercules, you'll likely need to physically travel to each ATM location and update every modem's software to TLS 1.1 or TLS 1.2 individually.
To protect your business's reputation and customer's financial information you should contact any third-party vendors or suppliers you deal with immediately to determine whether they have already updated their systems to be compliant with the new PCI DSS or what their time lines are for implementing upgrades.
Even though TLS 1.2 is the most current encryption protocol, PCI SSC considers those using TLS 1.1 to be compliant but that could change. It should also be noted that TLS 1.3 is currently in development. To avoid the risk of having to ensure your ATMs are compliant again after the June 2018 SSL and TLS 1.0 migration deadline, it may be wise to verify whether your vendors and suppliers have or plan to upgrade to TLS 1.2 and whether they intend on upgrading to TLS 1.3 when it’s made available.
Is DPL compliant with the new PCI DSS?
Yes, DPL takes security very seriously. In addition to being PCI DSS compliant since 2012, our devices:
- Do NOT use SSL or TLS encryption protocols
- Use point-to-point VPN tunnels to ensure any personal financial information transmitted through our systems is protected
- Use private cellular networks
If you’re using one of DPL’s Hercules wireless ATM modems you’ll never have to worry about SSL, TLS, PCI SSC, PCI DSS or any other abbreviation!
Where can I get more information about the SSL, TLS 1.0 migration?
To view up-to-date information on the SSL, TLS 1.0 migration we recommend you visit the PCI SSC’s website periodically