Originally, UPS said they will require a more secure protocol (TLS 1.2) to get rate quotes by the end of May 2016, now they are pushing that back to December 31, 2017.  June 17* is when PayPal plans to require TLS 1.2 for submitting payment information. Other vendors have announced their intentions to require the newer protocol. What is going on?

In April of 2015 the PCI Security council said that the secure protocol (TLS 1.0) used by most shopping cart vendors and others to communicate with payment gateways, shippers, and other vendors was not as secure as desired. They then declared that by June of 2016 a newer protocol (TLS 1.1 or 1.2) must be used. The Payment Card Industry (PCI) council is sponsored by Visa and the other credit card companies and sets the standards that payment gateway vendors like PayPal and Authorize.Net must adhere to, so what they say carries a lot of weight. Likewise, others like UPS also took notice and made plans to also phase out support for TLS 1.0. When stopping support for TLS 1.0, most vendors are skipping TLS 1.1 and only supporting TLS 1.2.

End of Life for TLS 1.0

Date Pushed Back

With the date set for end of June 2016 by PCI, a number of vendors began setting their dates for switching over around the same time frame or a little earlier. At the same time, many companies and vendors no doubt pointed out to PCI that this was not much time to implement the changes. And, while TLS 1.1 and 1.2 were even more secure than 1.0 was, they also probably questioned if there really is a significant risk that requires switching so soon. So last December, PCI came out with a new date of June of 2018 to make the change! Despite the change in dates, some vendors (like PayPal) have indicated they are sticking with their June 17, 2016 date*.

Originally, UPS was to be the first major vendor to force support for TLS 1.2, followed by PayPal a few weeks later.  Now, it looks like PayPal will be the first in June of 2017.  As far as ShopSite goes, version 12 service pack 2 (v12.2.4) is the first release to support TLS 1.1 and 1.2. Also note that besides running a version of ShopSite that supports TLS 1.2, some services may also require that your secure web server (https://) be up to date with the latest SSL certificates. Certainly for some users to shop at your site there will be browsers that require newer certs, and possibly protocols. The Qualys site is a good place to input your domain name and get back test results.

Your Version

To see what version of ShopSite you are running, log in to ShopSite and look at the footer. If you see “12 sp2 r4” or greater, you are good to go. Note that the r4 (release 4) is important.  That was the last update to sp2 (service pack 2) and it is the sp2 version that has the support for TLS 1.1 and 1.2.  Since then, sp3  has been released so if you have that version (v12 sp3) you are good.  Here’s what it looks like in version 12 at the bottom lower left of the screen.

Security is a pain. We may question why some vendors will force the switch to TLS 1.2 this year, while others will wait until 2018. But just like anti-virus software and operating system updates, the safest bet is to be up to date on the latest software releases.

Blog updated 4/19/16 to reflect UPS has moved their switch over date back

* Also note that as of 5/6/2016 PayPal has also pushed their switch over date to June 30, 2017.