Secure Sockets Layer (TLS/SSL) Protocol

As we have mentioned, credit card information should only ever travel on the HTTPS or TLS/SSL protocol, never HTTP. Most computer users simply recognize this with the little padlock ERROR: No image found visible on the browser when visiting secure websites. This protocol provides special security to prevent Cyber-criminals from listening into electronic communication and stealing private and/or financial information.

The article at https://en.wikipedia.org/wiki/Transport_Layer_Security further explains,

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL,” are cryptographic protocols that provide communications security over a computer network. Websites are able to use TLS to secure all communications between their servers and web browsers.  The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. When secured by TLS, connections between a web browser and a server have one or more of the following properties:

  • The connection is private and secure because symmetric cryptography is used to encrypt the data transmitted.  The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted. The negotiation of a shared secret is both secure and reliable.
  • The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one of the parties.
  • The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.

That may be more detail than you need to secure your computers except for three vital facts.  One, credit card and financial information must ONLY ever be transported over SSL/TLS communication by law.  So you must ensure and confirm that SSL/TLS communication is used for any credit card number transfer whether it is on your system or a third party vendor.  Two, if credit card numbers are stored or even transported through your computer equipment you are directly responsible to meet PCI Compliance requirements. These requirements are complex and so most outsource this function to third party vendors.  Read more at https://www.pcisecuritystandards.org. Third, SSL/TLS standard are improving and the latest version of  TLS 1.2 was required on all credit card handling systems as of June 30, 2018. You must confirm that these security measures are on target.