As of the 30th of June 2018, the PCI Security Standards Council is requiring that all payment processors, merchants, service providers, and other stakeholders have disabled support for SSL 3.0 and TLS 1.0 as they are no longer capable of transmitting and receiving secure communications - TLS 1.1 or higher must be used, with TLS 1.2 being strongly recommended.
In response to this, various payment processors and online merchants we work with have announced the dates when they will also stop supporting SSL 3.0 and TLS versions below 1.1 or 1.2. Some have already ended support, and the others will be ending support on or before June 30th, 2018.
In line with the industry standards and best practices, Pronto will end support for SSL 3.0, TLS 1.0 and TLS 1.1 on our platform on the following dates;
Any Managed Website Plus, Multilingual, or eCommerce sites - 26th of February 2018
All websites on Pronto platform - 30th of April 2018
After these dates we will support only TLS 1.2 and above. TLS 1.2 is now overwhelmingly supported by modern operating systems and browsers, and includes a number of useful fixes and enhancements to the protocol.
Why are we making this change?
While this is a change to the industry standard and not merely a decision made by Pronto, by removing support for SSL and TLS versions 1.0 and TLS 1.1, we will be ending support for what is now an outdated protocol, and allows us to ensure that we are adhering to the best practices of the industry, which provides our clients, and their website visitors, with a higher level of security for their browsing sessions.
How will this affect me?
For the vast majority of our clients and their visitors, there will be no impact other than a guarantee of better security used when visiting one of our managed websites. For the minority of visitors who are using older browsers or operating systems, this will result in an error message being shown by the browser when trying to access a Pronto website. The visitor needs to update their browser to a version which supports TLS 1.2 to resolve this problem - examples are listed below;
- Google Chrome 30 or higher (version 40 or above is recommended)
- Mozilla Firefox 27 or higher (version 34 or above is recommended)
- Internet Explorer 11 or higher
- Apple Safari 7 or higher (Safari 5 or higher on mobile)
- Microsoft Edge, all versions
- Opera 17 or higher (version 27 or above is recommended)
Will my SSL certificate will stop working?
No, your SSL certificates will work normally after this change. TLS 1.2 has been supported and used in SSL certificates for a number of years, and almost all SSL certificates currently in use fully support TLS 1.2. The change we are making is only ending our support for old versions of the SSL and TLS protocols, not ending support for SSL certificates themselves. In addition to this, we test each SSL certificate on our platform at the time of installation to ensure compatibility with our servers and security protocols, and would advise at that point if there were any potential problems.
What do I need to do?
In short, unless you have a problem - nothing. We will make the necessary changes on our platform on the above dates. Most modern browsers and operating systems won't be affected by the change as they already support TLS 1.2. If you are affected and need assistance updating your browser, please contact your I.T. department for assistance.
To check if your browser will be affected by this change, you can use the site How’s My SSL? - this will advise which TLS version your browser is using.
Where can I find more information?
If you require any specific information regarding how your services will be affected, we recommend that you contact that service directly to ensure they are planning to support this change, or that they have already done so.
For general information, you may find the below links useful:
- Bulletin on Migrating from SSL and Early TLS - PCI Security Standards Council, 2015
- Date Change for Migrating from SSL and Early TLS - PCI Security Standards Council, 2015
- Migrating from SSL and Early TLS Information Supplement - PCI Security Standards Council, 2016
- Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS - PCI Security Standards Council, 2017
For specific information about individual payment gateways which we support, you can read announcements and guidance from some of them below;
If your payment gateway or merchant isn't included above, please feel free to contact them for information on their plans regarding the PCI Security Standards Council change.
Can my site be exempted?
While we don't recommend it, yes - just contact us and tell us you'd like to be exempted from this change, and we can ensure that SSL and TLS versions 1.0 and 1.1 remain supported on your site. However, if you use any third-party services on your site which do not support SSL and TLS versions below 1.2, you may encounter problems with using these services. To resolve this, you must either contact that service, or update your browser.
Who can I contact with questions?
You can always contact us at firstname.lastname@example.org for any questions or concerns about your services with us. For urgent issues, feel free to also use our live chat service at the bottom right of https://www.prontomarketing.com and we'll be happy to help look into the problem with you.