Essent to Discontinue Use of TLS 1.0 in Accordance with PCI Security Standards; Essent Customers Strongly Advised to Take Action

Attention Essent Software Product Customers – Essent will disable use of TLS 1.0 in accordance with PCI Security Standards, which may affect your ability to establish secure communications including credit card transactions with some customers. Essent will disable use of TLS 1.0 on January 30, 2016.

Note

You should bring this to the attention of your Information Technology (IT) department.

Problem

The Transport Layer Security 1.0 (TLS 1.0) encryption protocol no longer meets minimum security standards as determined by Payment Card Industry (PCI) Security Standards Council due to security vulnerabilities in the protocols for which there are no fixes.

The PCI Security Standards Council has mandated that all new applications, including websites that takes payment cards, must be compliant. All existing applications must discontinue use of TLS 1.0 to remain PCI Compliant.

TLS 1.1 and higher are still supported.

Essent Service Impact Analysis

All companies that make and accept credit card payments must discontinue use of TLS 1.0 and all versions of SSL before June 30, 2016.

This change, mandated by the PCI Security Standards Council, is not unique to Essent. All credit card processing technology worldwide needs to discontinue use of TLS 1.0 on or before June 30, 2016, to remain PCI Compliant.

The PCI Council is also mandating discontinuation of Secure Sockets Layer (SSL) encryption. Essent previsouly disabled the use of SSL and there is no action nor additional impact on users or end customers regarding SSL.

TLS 1.0 is still in use for Essent customers who use EssentOne™, SiteBuilder™, or products built on SiteBuilder like PunchOutNow™. TLS 1.0 will be disabled, so customers need to take action in order to continue to process secure transactions.

Secure communications use TLS. The majority of secure transactions occur via a browser. Not all browsers support TLS 1.1 or higher. The latest versions of all major browsers, which are also browsers supported by Essent, support TLS 1.1 or higher.

If a consumer uses a system that relies upon TLS 1.0 and conversely does not support TLS 1.1 or higher, then their service will be negatively impacted and will not be able to complete secure transactions, such as placing an order.

Determine browsers being used by visitors to your websites. If outdated browsers are not used, it is expected that impact will be minimal, otherwise expect to have to educate customers.

Essent Compass™ is not affected. Essent security products, like the Netset™ Network Security Appliance, are capable of using TLS 1.0 but do not fall directly under the PCI DSS umbrella and are not impacted.

Facility Management Support (FMS) service subscribers are always directed to keep their systems patched, including using the latest browsers supported by Essent. Subscribers are encouraged to identify systems that utilize TLS and discontinue the use of TLS 1.0.

Corrective Action

The Essent TLS 1.0 deadline is on Saturday, January 30, 2016, when Essent will discontinue the use of TLS 1.0.

Essent has deployed servers that only use TLS 1.1 or higher. Effective immediately, all new SiteBuilder production installations for new customers will only be provisioned on the TLS 1.1 web servers. For existing SiteBuilder production installations, TLS 1.0 will be involuntarily disabled as of the Essent deadline.

SiteBuilder customers are highly encouraged to disable TLS 1.0 sooner and may contact Essent Support to request to be voluntarily migrated to the TLS 1.1 web servers. There is no fee for this service but the service is subject to scheduling availability.

As of the voluntary migration or deadline, browsers that do not support TLS 1.1 or higher will not be able to perform secure communications.

In plainer terms, Essent customers and their customers need to use a system or browser, as the case may be, that is configured to use TLS 1.1 or higher by the deadline in order to continue to perform secure transactions with Essent technology.

If you have visitors that use TLS 1.0, have them update their system to support TLS 1.1 or higher. Notify visitors using an unsupported browser that they are using an unsupported browser and direct them to update their browser to a current version of one of the major browsers.

More information is available in the Essent TLS 1.0 Retirement FAQ.


Share This:
FacebookRedditSlashdotDZoneNetvouzTwitThisLinkedInDiigo