Wednesday 7 February 2018

TLS changes may spell trouble for your donors & CRM

On June 30th the rules for taking credit card payments get tightened up. This means extra security, but also problems for some of the people who make donations to you. It may also mean that changes are needed to your CRM. Eeek.

People who take credit card payments - us - have to keep to a set of standards called PCI DSS (Payment Card Industry Data Security Standard). On 30th June 2018, the PCI folks are tightening these rules.

The new rules say that TLS 1.0 (what does this mean? More on that below) is no longer considered a secure way to move credit card data. Instead one has to use on TLS 1.1 or higher. Everyone who moves credit card data has to change the method of encryption they use. This affects all of us, from Amazon to Willen Hospice.

Let me give you a real-world example. At the University of Oxford we use Blackbaud software for our fundraising CRM and CMS systems. We also pay Blackbaud to handle credit card data securely for us. This means that on step 3 of our online donation process we send our users to a payment page on Blackbaud’s servers to enter their credit card details.

When a donor, let’s call her Lucy,  uses this payment page credit card data is moving from her web browser to Blackbaud's server. From the start of July the rules say that this data transfer is only permitted using TLS1.1 or higher. So:
  1. Blackbaud need to change their system to support TLS 1.1 and to stop working with TLS 1.0
  2. Lucy needs to use a web browser that supports TLS 1.1 in order to make payments.

Your provider, like Blackbaud, is pretty professional, so they’re on top of 1. You need to think about 2.

In our case, we think 0.5%-0.9% of our users are going to have a problem making payments. That’s not a huge number, but the user experience they receive is terrible. The message is generic and of little meaning to the typical layperson. For example, in the case of Internet Explorer 7 and error message is given which says

“Internet Explorer cannot display the web page”

Lucy, our example user, will get a similar message on other websites. So I imagine she’ll take the hint and upgrade. But, if you’re the first website she comes across like this, then she might not understand the issue.

But wait! You, like us, may have a bigger problem. Blackbaud are updating all their software to meet this change in PCI standards.  That’s lots of work for my department because CRM systems tend to have hands in many pies.


Next steps
1. If you use a third-party to handle your credit card data then find out their plans. Look at their website and see that they’re saying about the change.

Here is some example info from a few well-known providers:

Blackbaud
Stripe
Worldpay

2. Talk to your server operations people. Does your website currently accept TLS 1.0? Do they plan to change that in the next few months? They don't have to - the rule change relates to credit card data specifically - but it's wise to check you have a shared understanding.

3. Look at your website stats. How many of your potential donors will be impacted? I've found the following browsers stop working when TLS 1.1 is used:
  • Internet Explorer 8-10 (unless Lucy has updated a setting in her browser)
  • Inernet Explorer 7 and under
  • Safari 6 and under
  • Chrome 21 and under
  • Firefox 26 and under
  • Android 4 and earlier (the native browser breaks, and they can't use Chrome instead)
  • iOS 4 and under
From my stats that's 0.5%-0.9% of users. The range is because the stats don't tell me if the setting in IE8, IE9 & IE10 is switched on.


What’s TLS then?

The internet is all about conversations, conversations between different devices. When Lucy visits a website, her phone/tablet/laptop has a conversation with the computer that hosts the website. There’s a back and forth exchange while each page loads.

Now this conversation gets relayed across the internet via various devices. That’s brilliant - it’s a robust approach - and worrying - someone can intercept the conversation and listen in.

Many moons ago companies started using encryption to make this exchange of data more secure. Essentially Lucy’s device talks in code to the website concerned. Good, eh? No one can intercept that conversation and learn that Lucy’s password happens to match the name of her cat.

Except... criminals are always hunting for ways to crack the code. Periodically they succeed and the PCI people decide we all need to use a more secure code.

TLS 1.1 is simply a better code than TLS 1.0. I imagine in 4-5 years time TLS 1.1 will be cracked. And we’ll all start moving to TLS 1.2.

Really, it’s all about safeguarding Lucy’s money.