Support for TLS 1.0 and PCI Compliance

Support for secure credit card transactions using TLS 1.0 is coming to an end after June 30, 2018. The new standards defined by the PCI Security Standard Council requires all payment processors and third-party providers to explicitly disable support for TLS 1.0 and switch to exclusively using TLS 1.1 or later versions, preferably using TLS 1.2.

More Information

If you use SocketTools to send or receive credit card payment data, upgrade to the current version before June 30, 2018. The current version of SocketTools includes several important security related updates that will ensure that your users will be able to continue to connect to these service providers.

Previous versions of SocketTools would negotiate for a secure connection using any version of TLS that was available. SocketTools 6.0 and earlier versions would also attempt to use SSL 3.0. Because SSL and the earlier versions of TLS are no longer secure, you cannot use them to connect to a PCI DSS 3.2 compliant service. The current version of SocketTools will only establish a secure connection using TLS 1.2, and will automatically disable the use of weaker cryptographic algorithms that can potentially cause the server to reject the connection.

SocketTools uses the Windows CryptoAPI and Schannel provider to implement support for TLS on the Windows platform. This provides several advantages to the developer because it is part of the core operating system. The application developer does not need to redistribute additional libraries, and updates are included as part of the normal Windows Update process, ensuring that their end users have the most current security updates and improvements.

This means that the security functionality in SocketTools is directly tied to the version of the Windows operating system that their end-user is running their application on (not the version of Windows that was used to develop the application). Versions of Windows that are currently supported by Microsoft, from Windows 7 on the desktop to Windows Server 2008 R2, provide support for TLS 1.2. However, older versions of Windows that are no longer supported by Microsoft only provide support for TLS 1.0. Applications on those older platforms will fail to connect to credit card payment processors, gateways, and other payment service providers after June 30, 2018.

If you are using Windows Embedded POSReady 2009 (commonly used with devices such as cash registers and automated teller machines), Microsoft has released a hotfix that provides support for TLS 1.2. Because this is a variant of Windows XP SP3, it is also possible to install the hotfix on Windows XP systems. However, it is strongly recommended that you upgrade to the current version of Windows. Although the hotfix enables support for TLS 1.2, it does not update the cryptographic cipher suites supported on Windows XP. Less secure cipher suites will continue to be presented to the server, which may cause it to reject the connection. If you install the hotfix, you must also upgrade to the current version of SocketTools to establish a secure connection.

See Also

Unable to Establish Security Context
Support for TLS 1.2 on Windows XP