How the credit card industry is helping the adoption of modern web standards

Blurry close-up photo of credit cards
This Visa appears to be using the CSS ‘perspective’ property, and maybe a filter:blur();photo is CC BY 4.0

The credit card industry is about to require security practices that will preclude support for Internet Explorer 10 and older. The story of how and why is RWA (riddled with acronyms).

My friend and colleague at silverorange, Mike Gauthier, gave a talk at a recent local developer meeting about Web Security with TLS (slides). In his well-researched overview of SSL and TLS encryption on the web, he explained how a boring industry organization (my words, not his) is helping to accelerate the transformation of the web browser landscape.

Presentation slide with Internet Explorer logo with list: Uses SChannel, TLS 1.2 supported on Windows 7, TLS 1.2 only on by default in IE 11, Edge is great
See Mike’s slides from his Web Security with TLS for more detail.

We build web sites and applications for clients that process credit card transactions. We’ve been working with our clients to ensure that they are compliant with the Payment Card Industry Data Security Standard (boring PDF warning), or PCI DSS.

PCI DSS is a standard to ensure data security in the world of credit card processing. It was developed by a consortium of major card backers including Visa, MasterCard, American Express. The standard dictates procedural and technical measures that those dealing with credit cards must implement to maintain a basic level of security.

Among the many prescriptions of the standard is support for TLS (Transport Layer Security). Here’s where the world of web browsers gets involved. The PCI DSS mandates that all new applications support a minimum of TLSv1.1 by June of 2016. All applications, old or new must support TLSv1.1 by June of 2018.

The PCI DSS also includes all web browsers in the “new applications” category, meaning they have to hit the June 2016 compliance date.

Mike’s slide about IE.

Old friend Internet Explorer didn’t get support for TLS until Windows 7 and it wasn’t enabled by default until IE v11. The Microsoft Edge browser does fine, as do all of the other major browsers.

This means that as of June 2016, our clients’ sites can no longer support IE6 through IE10 or Windows XP/Vista. If they did continue to allow connections with the older encryption protocols that older IE version require, they would be subject to fines and/or suspension of card processing abilities.

That’s right. If you are accepting credit card payments, you can be fined for supporting old versions of Internet Explorer.

It’s not clear how soon and how strictly the standard will be enforced by the credit card providers, if at all. Even if it ends up being treated more as a suggestion than a requirement, any acceleration of the adoption of more standards-compliant browsers is welcome.

Older versions of Android are also affected. Given the way Android updates are handled on many phones and carriers, out-of-date versions of Android are quite common.

The side-effects of this are clear. Out-of-date web browsers that have been holding back the adoption of modern web standards, including CSS 3, are getting an extra push into obsolescence.

Using global statistics from Net Market Share, the Internet Explorer users affected by this account for just over 15% of web users as of March, 2016. For most of our clients, whose customers skew toward the US, the number is closer to 5%. Either way, it’s a significant percentage of people using the web.

I’ve long been a supporter of standards. They allow us to build the web and to use a broom-handle with a paint roller. It’s nice to see the unintended consequences from the financial industry make our jobs as web developers a little bit easier.

Thanks to Mike Gauthier for his research and presentation on the topic. For more detail see the slides from his presentation, Web Security with TLS.