First Data Could Get Tough with Unsecured Merchants

In a few days, First Data will start to disable the accounts of customers who access its systems over unsecure connections.

The company has been sending out notifications and reminders for over a year about changes that will be made to its Datawire service beginning on February 15th.

If merchants have taken no action, it could mean that their processing ceases immediately.

To many, First Data’s move demonstrates industry leadership on addressing a clear-and-present danger. Other processors are expected to take similar steps in the coming months.

All of this is being driven by a deadline set by the PCI Council. The mandate states that, by June 30, 2018, card data must be transmitted using only the secure versions of what’s known as the Transport Layer Security protocol, or “TLS”.

In a nutshell, TLS protects the integrity of the data transmission between computers on an open network. When, for example, a consumer visits a website, behind the scenes the consumer’s client device and the website’s host systems employ TLS to validate the website’s authenticity and encrypt the communications channel.

TLS protocols are periodically updated by NIST, a governmental standards body. The updates are needed to remedy known vulnerabilities and to defense oncoming threats. Owners of hosts systems adopt a new TLS version by making changes to their server software and then inform customers of the date on which older versions of TLS will no longer be supported.

The PCI Council originally called for the industry’s switch to occur in 2016, but after a large outcry, it granted a two-year extension. Processors don’t envision another extension and cannot risk PCI non-compliance.

So, very soon, they will begin to “flicker the lights” as a way to let merchants know that the TLS upgrade is a serious matter requiring attention.

Small businesses are particularly impacted.

That’s because large retailers are already compliant, while small merchants often resist technology upgrades on the grounds of “if it ain’t broke, don’t fix it”.

Well, it’s about to break… and on a very large scale.

Some processors and gateways believe that 50% of their connections are non-compliant. Wow!

What’s worse is that when merchants scurry to fix ancient technology, they will likely find that old terminals cannot be updated and some POS software companies have gone out of business. Merchant help desks will light up across the country as a result.

The timing of the situation bears consideration, too.

The TLS update will roil the small business community at the very same time that new chargebacks will hit. Visa and American Express are due to lift their temporary blocks on EMV counterfeit chargebacks in April.

The overlay of these disruptive circumstances could very well create new winners and losers in the marketplace.

Because RevChip was built from the ground up for EMV and Apple Pay, it benefits from a modern software architecture. RevChip runs TLS 1.2, the PCI Council’s recommended version, and is capable of automated field updates that enable a quick transition when the next TLS version becomes necessary.

EMV need not be a huge expense or a technology hassle. Merchants should be able to preserve their current POS marketing programs and start running Quick Chip EMV and Apple Pay in just a few days. If you agree, check out RevChip.

About RevChip

RevChip is the most comprehensive and affordable EMV software built for the U.S. market. It connects to major processors without a transaction fee and runs equally on Verifone and Ingenico devices. Using RevChip, merchants eliminate card data from their systems and shrink the burdens of PCI. The RevChip SDK provides POS developers with a quick and thorough EMV integration without the hassles of middleware.

To learn more about how RevChip solves for EMV and Apple Pay, download our Semi-Integrated EMV Guide or reach us at (800)560-0415.

DevPro Journal Staff

Zebra MC9400