• May 2018 PCI + Security Update

    Chances are these apply to your site, so have a read

Keeping up with security and PCI Compliance is probably one of the most annoying aspects of running (and developing!) an e-commerce site, and we have more than our fair share this month.

Authorize.net Update

Authorize.net tends to update things without letting anyone know, and this month it was their Security Certificate.  They have their own file they provide for their integrations, and they suddenly disabled their old one and added a new one.  We have a copy of it, so if your Authorize.net transactions are giving you grief, let us know and we will update it for you.

USPS API Changes

You may have received an email from USPS regarding the removal of TLS 1.0 and 1.1 from their API.  If you are hosted on our server, we have already tested the change and it won’t affect your site.  If you are hosted elsewhere, make sure your host has TLS 1.2 installed and fully functional.  Most will, as only the REALLY bad hosts wouldn’t have upgraded by now.  The change goes into effect for USPS on June 22, 2018, so if your USPS rates no longer work in your cart after that date you will know why.

JQuery Vulnerability

If you run Trustwave or other PCI Compliance scans on your site regularly, you likely failed your latest scan due to a vulnerability in older versions of JQuery.  This is a script that is used for all sorts of cool on-site functionality, and upgrading may be a problem depending on how your shopping cart is coded.  For Pinnacle Cart we have received and tested a patch to address this, so let us know if you would like us to install it on your cart.

TLS 1.2 Requirement

As of June 2018, TLS 1.2 will be required on all e-commerce sites, and TLS 1.0 and 1.0 must be disabled on the hosting server.  No clue what TLS is?  You shouldn’t have to as this is usually a hosting/developer issue, but with all of the emails flying around from third party vendors, it pays to know a bit about it.  Here’s an article from last year with a bit more info about TLS if you are curious.

The problem with disabling those older TLS protocols is that they will cause Internet Explorer versions 7 and below (and some other older browsers) to have issues with your site, and Outlook will not be able to connect to email on the server.

First, let’s address the older browser issue.  You’d be surprised at how many people still run an old version of Internet Explorer.  Many corporations have a bunch of in-house systems that they don’t want to upgrade to play nice with the newer versions of the browser, so they force their employees to use something like Internet Explorer 7.  At this point, they will HAVE to upgrade, as most servers will simply not support it any longer.  We’ve developed an app we can install on your site that will detect older browsers and ask the user to upgrade, informing them that they will no longer be able to use the site correctly with their old relic.  Let us know if you would like that installed on your site.  We will be disabling TLS 1.0 and 1.1 on our server very soon!

As far as Outlook goes, Microsoft is going to be disabling TLS 1.0 and 1.1 support in October, so the connectivity issue should be resolved by then as well.  We’ll be testing this on our server in the next week or so, and will post an update on Facebook if there are any concerns for Outlook users.

Completely Lost Yet?

Don’t worry, I don’t blame you.  Feel free to drop us a line if you would like us to take a look at your site and check these things for you.