The Future Looks Bright

Why PCI DSS Requirements Will Change the Web For Everyone

By June of 2018 all “safe” websites will have to transact using TLS 1.1 or higher. This change over should start this summer as many service providers are required to implement the standard.  The cascade of change as a result could do more to move web technology forward than anything else has in the last 5 years. Why? You won’t be able to use your old browser.  Nobody will.

PCI DSS, Wha?

If you’re here reading this, chances are you’ve purchased something online at some point in your life.

When you made that purchase, you likely paid with a credit card or through a service like PayPal. The Payment Card Industry (PCI), has standards for security that are set by a council and are referred to as the Data Security Standard (DSS). This standard protected that transaction from prying eyes and kept your personal information safe during transmission and storage.

For the retailer to accept your credit card information and not be held liable for certain types of fraud, their entire site has to be certified compliant with this standard.

PCI certification is something that has to be performed every year, and non-compliance is a big deal. It’s easily one of our least favorite yet most critical processes we go through each year—proving that Virid’s ecommerce platform is indeed PCI DSS level 1 certified.

All this matters because as security standards increase, so do the speed of computer processors and the abilities of your average hacker. Over time standards must change and we’re now looking at a roadmap to a new standard. The next standard is 3.1.

Little Green Locks

Most every shopper is trained to look for a little green lock or some sort of validation that the site they’re browsing is using SSL, TLS or other transmission encryption technology. Starting in a couple of years (when I started this post, the date was June 2016—they just moved it on Friday) the standard will become TLS 1.1 per the PCI DSS.

That means that two things have to be compliant: the system serving the website and the browser the customer is using on their device. Both have to support TLS 1.1.

Here’s a handy chart that illustrates the compatibility of most common browser versions.

Notice anything?

Anything prior to InternetExplorer 11 is non-compliant out of the box.

Want to see what your current browser supports?  Go here.

Internet Explorer (IE) and the Modern Web

You want to see a web developer turn beet red and do their best not to explode? Suggest that the site you’re asking them to develop support IE 8 or earlier. Try it. It’s fun. Just make sure you tell them you’re kidding when you’ve had your giggle.

While Microsoft makes fine software and provides excellent services, many of us on the web have been less than impressed with their browser technology and its adoption of standards.

HTML 5 and CSS 3 are at least three years old and as recently as last year, there were parts of those standards that were simply not handled natively by the most current Microsoft browser.

Here’s a chart illustrating the feature differences between the last four versions of IE.

So why is anyone on IE? Or, more to the point, why are so many people still using older versions of IE?

Because upgrading sucks. And in some cases, especially in enterprise installations, it’s an enormous cost. Plus, why fix what isn’t broken?

The big deal

Remember your red-faced web developer? Right now she’s jumping for joy. All those short cuts, cool new features you wanted on your web site that “broke” in certain browsers? They just may not break now.

All of a sudden, our support calls get cut by 15%. Our developers smile a genuine smile (the sarcastic ones don’t count) more than once a week. Clients get the sites they want, and the features we build don’t require testing on 34 browsers, just 7 or 8. Why?

Because if you want to buy anything online, you’ll have to use a modern browser. 

That lingering 2 to 5% of sales coming from customers using outdated browsers (not just IE: Safari on windows anyone?) will evaporate.

And all will be right with the world.

Yeah, it’s probably a dream, but it sure is a nice one.  Too bad PCI delayed full implementation until 2018—I was really looking forward to an exciting summer and getting a leap on new features in anticipation of the switch.

Maybe next year.

Leave a Reply