What You Need to Know About the Transport Layer Security (TLS) Changeover

May 18, 2018

Online security A major change issued by the Payment Card Industry (PCI) goes into effect on July 1, 2018--all merchants accepting credit card payments must have upgraded to a secure, current version of Transport Layer Security (TLS) to process transactions.

You might not be familiar with TLS, or you might think a Payment Card Industry mandate only affects store owners. Before assuming the TLS changeover doesn’t apply to you, keep in mind that the TLS deadline has the potential to affect regular consumers nationwide if they haven’t also taken some simple steps to prepare for the big switch.

1. What is TLS?

Essentially, TLS (Transport Layer Security) is an online encryption method that keeps your data safe when you’re transmitting payments or other confidential data online. There are three different versions so far: TLS 1.0, TLS 1.1, and TLS 1.2. Each one is an improvement on the previous version.

2. What exactly is the TLS changeover?

TLS 1.0—the oldest version of TLS—will no longer be considered compliant with industry security practices as of July 1, 2018. The Payment Card Industry (PCI) is discontinuing its approval for TLS 1.0 as of that date.

Because TLS 1.0 has become too outdated and vulnerable to exploits by hackers, merchants will be required to use the more current, secure versions (TLS 1.1 or TLS 1.2) to process credit card payments and will no longer support TLS 1.0.

As explained by payment technologies and merchant services provider Cayan, LLC, some experts project that the U.S. economy could suffer $20 billion in lost transactions if merchants don’t upgrade by this time.

3. I’m not a merchant. How does this affect me?

While you may not be a merchant who accepts credit card payments, it’s likely that you’re a customer who makes card payments when you shop online or use online banking to access your accounts at your bank or credit union. Every time you open your web browser to complete one of these transactions, your data is protected by the TLS protocol.

Once online stores and financial institutions switch exclusively to TLS 1.1 and 1.2, you may not be able to access the secure parts of their websites if your web browser is only set up to support version 1.0. Fortunately, the majority of Internet users have their web browsers configured to support the most current TLS versions—especially users who make it a habit of upgrading their web browser when updates get pushed out.

So if you’ve been ignoring that "Please upgrade to the latest version" pop-up from Google Chrome or your browser of choice, it’s a good idea to take a few minutes and update now! Remember, the most recent version of your web browser is also the most secure version.

4. I do all my online transactions from my phone. Does the TLS changeover still apply?

Similar to those browsing from a desktop computer or laptop, most mobile phone users are running the most up-to-date version of their phone’s operating system and most likely won’t have any problems. However, those who have older devices or have been postponing OS updates will want to double check their settings. Apple users should be using iOS 5 or higher, and Android users will want to have Lollipop 5.0 or higher.

Many online stores and financial institutions have already started the process of disabling TLS 1.0 support and are exclusively supporting versions 1.1 and 1.2, to stay ahead of the July 1 deadline. If your browser settings aren’t up to date, consider running your updates as soon as possible to avoid any security issues, TLS-related or otherwise.


NOTE: To protect members' confidential account data, SF Police Credit Union and our online banking provider have made the decision to exclusively support TLS 1.1 and 1.2 for Online Banking users as of May 24, 2018. For instructions on how to verify your browser settings and enable TLS 1.1 and 1.2 before then—including a button you can press to verify your TLS settings--please visit https://www.sfpcu.org/tlsupdate