The payment processing industry will stop accepting payments from sites that use versions of TLS older than 1.2.

WordPress is an excellent eCommerce solution for smaller online retailers and for selling digital products. eCommerce on WordPress usually requires the use of a payment processor. It’s almost never a good idea to take money directly — payment processors like PayPal and Stripe are experts at the complexities of handling money online, and they take care of making sure you’re able to offer credit card transactions that conform to PCI DSS regulations.

To use a payment processor, WordPress sites must offer encrypted connections to the browsers of their customers. To do that, retailers use SSL certificates so they can offer encryption and identity validation to eCommerce customers.

SSL (which should really be called TLS) relies on a complex architecture of certificate authorities and cryptographic technologies. At the heart of SSL is an algorithm crucial to keeping connections secure. Over the years, that algorithm has evolved. Each generation is replaced by a better algorithm, because weaknesses are discovered in the earlier versions. There’s at least a theoretical chance that an attacker could breach the security of early versions of the algorithm, allowing them to trick eCommerce customers.

Because of that risk, PCI DSS has mandated the older versions of the algorithm are phased out. Originally, it mandated that versions older than TLS 1.2 should not be used after June of this year. Payment processors like PayPal, which require PCI DSS certification, will follow through on the PCI DSS regulations — stores using old versions of TLS will not be able to make credit card transactions.

That’s a problem for the WordPress store owners who are still using the older version. Before you panic, you’ve got a bit of wiggle room. The PCI DSS has extended the deadline to July 2017, but some payment processors will stop accepting payments over insecure connections earlier than that.

PayPal has extended its deadline in line with the PCI DSS deadline. Stripe however, intends to stop processing payments made over “insecure” connections from July 1st 2016 for new users. Existing users get until the end of the year to make the necessary changes. Other payment processors have their own timelines, and sellers using WordPress should investigate for themselves.

If you are unsure whether your WordPress eCommerce store uses an older version of the TLS algorithm, you can use the TLS 1.2 Compatibility Test plugin to find out. The plugin, developed by Jason Coleman of Paid Memberships Pro, will check that your WordPress site uses a recent version of OpenSSL (or another library that supports TLS 1.2), runs on a recent enough version of PHP, and has other requirements in place.

Posted in:
WordPress