03/03/2015

Shift4 Doesn’t Use SSL (And You Shouldn’t, Either!)

Shift4 Doesn’t Use SSL (And You Shouldn’t, Either!)

You may remember that back in November, we released an alert about protecting yourself from the POODLE SSL vulnerability. For those of you who are less familiar with SSL, it refers to a type of encryption that was once used to secure communications between a user’s Web browser and a website in order to protect transmitted data from eavesdropping or tampering. However, even the most “recent” version of this security protocol, SSL v3.x, is outdated, and hackers have been taking advantage of its weaknesses to do all kinds of bad things – from stealing payment card information to taking over user accounts if a browser still allows for the use of SSL.

Some websites have continued to support SSL even after new security protocols, including TLS (the first version of which was created back in 1999 to replace SSL), in order to accommodate users who didn’t update their browsers. Hackers have been using this to their advantage. In October of last year, the Google researchers who discovered the POODLE SSL vulnerability, Bodo Möller, Thai Duong, and Krzysztof Kotowicz, specified that there is no way to patch this flaw and that “to achieve secure encryption, SSL 3.0 must be avoided entirely.”

Shift4 Has No SSL in Our Environment
First of all, we want to make sure you’re aware that Shift4 is immune to any SSL vulnerabilities because it has been completely eradicated from our data centers. We don’t use Web services [https://] to connect point-of-sale systems to Shift4’s DOLLARS ON THE NET®, data centers, or interfaces. Instead, our Universal Transaction Gateway® (UTG®) uses TCP/IP services to securely transport your payment transactions. We’ve also removed SSL from www.shift4.com, www.dollarsonthenet.net, MyPortal, i4Go®, IT’S YOUR CARD®, and all other Shift4-owned services and domains. So, you can rest assured that our servers will negotiate the strongest possible encryption supported in the TLS spec by your browser.

What PCI Is Doing About SSL
On February 13, 2015, PCI SSC announced that the SSL vulnerability discovered last year has prompted them to remove SSL’s inclusion as “strong cryptography” and review their PCI DSS and PA-DSS in response.

Therefore, according to PCI SSC, they will be issuing PCI DSS v3.1 and PA-DSS v3.1 to include their new stance on SSL and “other minor updates and clarifications.” No date is defined for the release, but the revisions will be effective upon release, with “future dated” requirements to allow for implementation. In the meantime, PCI SSC is still looking into how they’ll address current and future submissions for the PA-DSS.

What You Need to Do
The fast and easy fix is to ensure that your organization no longer has SSL enabled anywhere in your browsers and in your servers. You can follow the directions posted on our original blog about POODLE here.

About That February 13, 2015, Update to the PCI SSC Definition of SSL?
We also think it’s interesting to note that PCI defined SSL, which had already been replaced back in 1999, as “strong cryptography” in the first place. This certainly goes to show you that compliance does not always equal security. Be vigilant out there, folks. And know that we’re always using the latest technologies so you can achieve Security Beyond Compliance®.

If you have any questions, our world-class Customer Support representatives are available 24/7/365 to assist you. Don’t hesitate to contact us at 702.597.2480 (option 2) or support@shift4.com.