Changes to PCI Compliance

A bit of background on Credit Card security

Uplifter takes security seriously and makes its best efforts to protect the information of our clubs and their members. To that end, specific to what the PCI Security Standards Council defines as "Cardholder Data", Uplifter has outsourced all of the processing, storage and transmission of this data to a trusted third-party, PCI Level 1 certified service provider; Beanstream (http://www.beanstream.com/about/security-and-pci-compliance/). This means that Uplifter works in concert with Beanstream to ensure that your Uplifter site meets the standards required to be PCI compliant.

 

Big changes to PCI Compliance

In April 2015, the PCI Security Standards Council published a revision to their Data Security Standard (PCI DSS Version 3.1). The announcement of changes to the standard can be found here.

Of importance is that PCI DSS ver 3.1 will no longer accept the usage of older and out-dated forms of cryptographic protocols. In other words, most websites requiring secure data transmissions, such as banks and Uplifter, will no longer be accessible on older, out-dated web browsers. *See our full list of compatible web browsers at the bottom of this article.

 

What does this mean?

A website can serve information to a user's computer either through an unencrypted ("http://") connection or encrypted ("https://") connection. Any given connection is like sending information back and forth on the open road. People can see others traveling on the road from a distance, and it's not entirely impossible to get up close and see what's in the vehicle. An encrypted connection is like sending your information back and forth in the Batmobile, tinted windows and all. By using encryption the only people who can get in and see what's in the Batmobile are the people who sent it in the first place or receive at its intended destination - because the Batmobile can't be opened en-route. Unless you're Batman... but you're not.

Every now and then the Batmobile improves its security, making it harder and harder to either break into it or see through it with x-ray vision. Each improvement is called a protocol version. On the internet, these encryption protocol versions have names like "SSL 2.0", "SSL 3.0", "TLS 1.0" or "TLS 1.2" for example. Villains over the last few years have found out how to break through a few of these versions (SSL 2.0, SSL 3.0, TLS 1.0). Not everyone can break through and see, but some can. And because there is the possibility of being able to break through, the PCI Security Council has decided that people sending credit card information back and forth on the internet should not use the old Batmobiles to send this information.

 

So what difference does it make to me which protocol I use?

In order to see what's in the Batmobile, the doors can only be opened when it's inside your garage. Because of the size of the new Batmobiles, you need a newer, larger garage where it can fit. If your garage is not big enough, you'll never be able to park the Batmobile to see what's inside it. Some garages are renovating and upgrading so that they can park the Batmobiles while others are just leaving the old ones as is and just building new ones. The garages are your web browsers.

With the new standard, the PCI Security Standards Council is requiring all garages or web browsers to accept only the new larger Batmobiles by June 2016. Over time, websites that want to be PCI compliant will only send the new bigger Batmobiles that are at least version TLS 1.2. If your garage is not big enough, you will never be able to see Batman.

 

What Garages Won't Fit the Secure Batmobiles?

All of the new browsers will communicate using the more modern TLS 1.2 protocol. It is important that you and your members update your browsers to ensure that you can continue to use Uplifter. We want to ensure your security, so over the next short while, both Uplifter and Beanstream will no longer allow for the older protocols to transfer data. The means that if a member attempts to come to your Uplifter site to register, they may receive an error about not being able to communicate with the site or the page to enter credit card information will also produce an error. Additionally, if corporate firewalls do not allow for the newer data protocols, some office networks will also display a similar error when trying to communicate with either Uplifter or Beanstream.

 

When Will You Only be Sending the New Batmobiles?

Uplifter completed some initial roll-outs in May, making the secure protocols offered out by default. We did notice at the time there were still a number of end-users that could not connect to Uplifter sites because either their browsers were out-dated or their corporate internets prevented sending information on the secure protocols. Because of the response from some of our users, we opted to delay the disabling of these protocols until after the rush of the registration season to provide our clubs with enough time to communicate to their members regarding the upcoming changes.

Uplifter has scheduled to disable our insecure protocols by December 31, 2015. You need to upgrade your garages (browsers) before these dates to either be able to log into your Uplifter site or make a credit card payment respectively.

 

What should we do?

All of your club administrators should update their web browsers to use a current and secure web browser. If you work at a location that has firewall restrictions, inquire whether or not TLS 1.2 will be supported with your web browsing.

Send an email to all of your members in advance of your heavy registration period letting them know that you take member data security seriously and that if they would like to register for programs, they should check to ensure that their browser is up to date and they are able to get to your website. In advance of Uplifter's security rollouts you can use a site like https://www.howsmyssl.com/ to test whether or not your browser will be compatible with Uplifter and Beanstream and ready for PCI DSS 3.1

 

Web browser compatibility

For your reference, here are three lists that describes which browsers will work when the changes are made and which ones will not. This list was compiled from Wikipedia.

Browsers that will support TLS 1.2 by default include:

-Microsoft Internet Explorer 11 and higher
-Microsoft Internet Explorer Mobile (Windows Phone 8.1) 11 and higher
-Microsoft Edge
-Mozilla Firefox 27 and higher
-Google Chrome 30 and higher
-Google Android OS Browser Android 5.0 and higher
-Apple Safari 7 and higher
-Apple Safari Mobile 5 and higher on iOS 5 and up


Browsers that will support TLS 1.2 but NOT by default:

-Microsoft Internet Explorer 8 - 10 on Windows 7 or Server 2008 R2
-Microsoft Internet Explorer Mobile (Windows Phone 8) 10
-Mozilla Firefox 24 - 26
-Google Android OS Browser Android 4.4


Browsers that DO NOT support TLS 1.2 AND WILL NOT WORK WITH UPLIFTER OR BEANSTREAM:

-Microsoft Internet Explorer 7 and below and Microsoft Internet Explorer 8 on Windows XP, Vista, Server 2003 or Server 2008
-Microsoft Internet Explorer Mobile 7 & 9
-Mozilla Firefox 23 and below
-Google Chrome 29 and below
-Google Android OS Browser Android 4.3 and below
-Apple Safari 6 and below
-Apple Safari Mobile iOS 5 and below on iOS 4 and below

Powered by Zendesk