Is Your POS System Secure from the Poodle SSL Vulnerability and is it PCI Compliant?
If you have an older point of sale system, then the answer is most likely no. So what is the Poodle vulnerability and how does it apply to POS systems? SSL encryption is a standard encryption method used for decades. A vulnerability named POODLE has been detected within SSL and is no longer PCI compliant. POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability in SSL that could allow a hacker to extract data from secure online connections.
Why should you care? Well, there could be a loss of confidential data that allows an attacker to decrypt sensitive information on your systems.
PCI Compliance TLS Upgrade Deadline was on June 30, 2018.
Time is running out for merchants to upgrade their POS systems to remain compliant with the new TLS security requirements. If merchants fail to do so, they risk a complete shutdown of credit card processing capabilities. Although the official deadline was June 30th, 2018, many processors have set their deadlines for merchants, some of which were as early as May 2018. If you didn’t meet the deadline, now is the time to act.
According to the PCI Standards Council Blog, the Payment Card Industry Standards Council (PCI SSC) extended the migration completion date to June 30, 2018, for transitioning from SSL AND TLS 1.0 to a secure version of TLS (currently v1.1 or higher).
How Big is the POODLE SSL Vulnerability to POS Systems?
So How Do You Keep Your POS System Secure?
Most legacy POS systems are vulnerable and should have been upgraded before the deadline. Now that the deadline has passed, the credit card processing functionality of any non-compliant equipment may cease. Migrating your POS is an industry-wide requirement. If you did not upgrade your POS before the final security date, it’s critical for you to take the necessary steps to ensure your point of sale is PCI compliant or purchase a new system that is compliant as soon as possible.
To remain PCI compliant, merchants, in some cases, will need to update software, operating systems, and hardware. Merchants who refuse to upgrade their point of sale system may not be able to process credit cards once the deadline was met.
Harbortouch has gotten out ahead of the potential POODLE SSL vulnerability disruption and is entirely PCI compliant, but most POS companies are just starting to become aware of this issue, and it is likely that many of them will be severely impacted in the months to come.
First Data and other large processors were recently hit by a similar disruption over the holidays caused by the expiration of a security certificate called SHA-1. Harbortouch was unaffected since they were able to update all of the certificates to the new SHA-2 requirement through extensive conversion efforts. The POODLE SSL issue is going to be exponentially more severe than the SHA certificate since virtually all POS systems rely on SSL encryption.
For more information about the POODLE SSL vulnerability or PCI compliance with your POS system, contact us.