Jason Coleman, creator of the popular Paid Memberships Pro plugin, published a post today, warning users that many payment gateways will soon require TLS 1.2. The encryption protocol secures communication between the server and customers’ browsers so that things like credit card numbers and addresses can be transferred safely.
Coleman outlined the requirements that a server should support in order to be compatible with TLS 1.2:
- Run OpenSSL 1.0.1 or higher, or another cryptographic library that supports TLS 1.2
- Run PHP version 5.5.19+
- Run cURL version 7.34.0+
Since this is a fairly technical situation for the average e-commerce store owner or site admin to have to deal with, Coleman created a new plugin called TLS 1.2 Compatibility Test to help users determine if they need to upgrade.
After activating the plugin, users can navigate to Tools > TLS 1.2 Compatibility to perform the test. The results will indicate if it’s necessary to upgrade the server’s version of OpenSSL, PHP, or the SSLVERSION of CURL.
Users can take this information and relay it to their hosting companies when asking for an upgrade. The plugin offers testing via the PayPal and the How’s My SSL API endpoints, but Coleman plans to add more API endpoints provided by popular gateways.
The Payment Card Industry Security Standards Council (PCI SSC) had a deadline of June 30th, 2016, for updating to use a secure version of TLS (1.1+) but have since extended the migration completion date to June 30, 2018. Although this may seem like plenty of time, payment gateways will be requiring the switch sooner.
PayPal’s deadline was today, June 17, 2016, but has now followed PCI SSC in extending that to June 30, 2017. Starting July 1, 2016, Stripe will only accept API requests made with TLS 1.2. This only applies to new users; existing users have a little longer to comply. On January 1, 2017, Stripe will drop support for TLS 1.0 and will drop support for TLS 1.1 on May 1, 2017. Other payment gateways may have different deadlines.
If you have a membership site or e-commerce store that accepts payments on-site, you will want to check with your payment gateway for its specific schedule for requiring TLS 1.2. Coleman’s TLS 1.2 Compatibility Test plugin will give you an idea of any upgrades that need to be made on your server.