So-called man-in-the-middle attacks — which allow hackers to decrypt sensitive information and even steal cryptographic keys — are of particular concern with TLS 1.0, the PCI Security Standards Council said.

No fixes or patches can adequately repair TLS 1.0, the council reported, which why it is withdrawing support for TLS 1.0 on June 30, 2018. By then, online and e-commerce partners should be using TLS 1.1 or TLS 1.2, it said.

It's an in-the-weeds piece of technology, but Lou Grilli, Brian Maurer, who is VP of software development at CU*Answers, and CU*Answers EVP of Network Technologies Dave Wordhouse said credit unions that blow off upgrading it could find themselves with broken systems and angry members next summer. They said credit unions need to do a few things now to get ready for the change.

• Start grilling vendors. Credit unions often work with different vendors to create various offerings for members. But if some or all of those vendors haven't transitioned to TLS 1.1 or 1.2 by the deadline, some features or services could suddenly stop working, Maurer said. “You really want to make sure your vendors are talking, they're on the same page, they're communicating ahead of these shut-offs,” he warned. “If you just leave this up to your vendors, that's where credit unions could potentially find themselves with either a vendor not up to par to where it needs to be, or two vendors not communicating well with each other, potentially causing a miscommunication and ultimately an interruption in some service.”
• Be ready to renegotiate. Some vendors may not be willing to upgrade. “Getting out of that contract, switching to a new vendor, all of that stuff, that can certainly cost money,” Maurer said.
• Scrutinize your own systems. Grilli recommends audits of every machine and every piece of software. “Yes, it's really time-consuming and probably painful, but now is the best time to do it,” he said. “There are potentially homegrown systems that have been in place for a while that are going to have to be touched.” Code in custom applications may need to be rewritten, and new operating systems may need to be purchased, Maurer added.
• Make a communications plan. Some members may be using TLS 1.0 via old operating systems, so credit unions will need to notify members of the change soon and encourage them to update, Wordhouse said. “The challenge with that messaging in my opinion is most members don't understand what that means,” Maurer added.
• Make time. Set aside three to six months for the transition work, Grilli advised. Besides everything else on this list, there's a lot of testing to do, plus upgrades and purchases may take weeks. Be sure to build in time for training, too. Things should be happening in the first quarter of 2018, he advised.
• Save your notes. “We'll probably have this conversation this time next year for TLS 1.1, and probably a year or two after that for 1.2. I mean, the bad guys are going to continue to attack these protocols looking for weaknesses,” Wordhouse said. “This is part of life in the Internet age.”