Your .NET Payments May Stop Working in June

New regulations in the Payment Card Industry (PCI) dictate that online and e-commerce companies must migrate to more secure encryption protocols designed to reduce the risk of data breach. Companies must disable SSL/early TLS in favor of the newer, more secure encryption protocols by June 30, 2018. Unfortunately, many organizations may not be aware of this requirement deadline. TLS 1.1 or higher will be required for all payments processed after that date. Some payment processors are even requiring a minimum of TLS 1.2 and an earlier timeframe.

What is SSL/early TLS?

Transport Layer Security (TLS) is a cryptographic protocol used in establishing a secure connection between two systems. It is used for authentication and to protect the integrity and security of information in transit. It was originally developed as Secure Sockets Layer (SSL) in the early 1990s by Netscape. Since then, it has seen several revisions to improve security, in response to known attack vectors, and to support new cryptographic algorithms.

How does this impact my .NET 4.5 or older application?

If you don’t accept payments through your application, there should be no impact. If you do and are targeting .NET frameworks 4.0 or 4.5, the default security protocols are SSL 3.0 and TLS 1.0. Unless you explicitly enabled higher protocols in your code, or use an updated third-party communications framework, the transactions will begin to fail. If you are on .NET Framework 3.5 or earlier, there is no support for applications to use TLS System Default Versions as a cryptographic protocol. There’s still hope for meeting the deadline, but the effort is greater.

How does this impact my .NET 4.6 or newer application?

If you developed the application recently using best practices, then TLS 1.0, 1.1, and 1.2 are all enabled by default. If you have upgraded an older application to use a newer .NET framework, you may be using an outdated communications mechanism which does not enable TLS 1.1 or higher by default.

I’m already on a fully patched Server 2016 and targeting .NET 4.7.2

You may already have everything enabled by default and do not need updates. It is best to verify with your payment provider and be sure that any third-party libraries are up to date before the deadline. Some older classes and communication libraries may not have the newer TLS protocols enabled by default.

If you have questions about these new requirements or need assistance implementing them, Antares can help. Contact us today.