Keeping Donor Credit Card Information Safe

What keeps browser traffic safe?

When transmitting any data online (like making a credit card payment), there are certain security protocols that are required in order to keep information from being intercepted and stolen. Most users look for the familiar lock symbol in their browser window and the s indicating secure at the beginning of the page URL https://), but that can indicate many things.

Acronym Overload: HTTPS and SSL and TLS, oh my!

HTTPS shows that a page is loaded from a verified source and is encrypting data transferred between the web browser and the server. This encryption, however, can be using different protocols (listed from least to most secure): SSL (versions 1.0, 2.0, or 3.0) or TLS (versions 1.0, 1.1, or 1.2).  Because of the widespread adoption of these standard protocols, hackers are highly motivated to find exploits in the way the encryption protocol works to steal financial information. This has led to a sort of “arms race” between security experts and hackers. As soon as one security protocol is compromised, new ones are developed to fix the flaws. Unfortunately older computers may not be able to utilize the newest technology leaving those users at risk.

Because of this, the Payment Card Industry (comprised of the major credit card companies like Visa, MasterCard, American Express, and others) have determined that online transactions using all versions of SSL or TLS 1.0 are no longer safe and should not be accepted as soon as possible.

While the Payment Card Industry Data Security Standards (PCI-DSS) have been amended to extend the date two years, they make it clear that this is not recommended and any information submitted over anything older than TLS 1.1 is seriously at risk. We don’t want to there to be any chance for your donors’ credit card information could be compromised (even if it’s a 2% chance that they’ll be using an outdated browser) due to a known security issue, so we’re making the change now.

A quick note on SSL Certificates

SSL Certificates (the thing you purchase for your website to get the HTTPS connection) originally got their name because they were essential in enabling the first widely adopted security protocol on the web using Secure Sockets Layer (SSL). Even though we’ve moved past SSL to TLS, the certificates that hold the encryption keys are still referred to as “SSL Certificates” even though they can work with any encryption protocol.

What does this mean for you?

If your constituents are using an older browser (usually on a computer with an out of date operating system), their credit card information could be compromised if submitted. Starting July 1st, 2016, donors using the following browsers will not be able to make donations online because the most secure protocol they support is TLS 1.0:

  • Internet Explorer 10 or earlier (default for Windows 8.0)
  • Safari 6 or earlier (default for Mac OS 10.8)

What is Bloomerang doing to help?

In accordance with the Payment Card Industry’s recommendations, we are disabling support for all versions of SSL and TLS 1.0 on June 30th, 2016. This means that any online donations made from the affected browsers will not be accepted. When a Bloomerang form loads, a warning message will display alerting the donor that their browser is out of date and needs to be updated. Encouraging the donor to download an up to date modern browser will help them protect their information anywhere they’re using the web (hooray! You’re a champion of user privacy!)

TLS warning message

What can you do?

Be prepared to answer questions from donors regarding why they need to upgrade their browser. Remember:

  • If they are getting the message, it means their credit card information is at risk when submitting on any site, not just your donation form
  • They should be able to download the latest version of Chrome or Firefox to get a more secure browser
  • You can take their donation information online and enter it into Bloomerang directly (by picking Credit Card as a payment method when adding a gift)

If you have self-hosted or custom forms (you can determine this by looking for “Custom” and Self-Hosted” when viewing the list of your online giving forms),

Self-hosted & advanced forms

donors will not be able to enter their credit card information (the payment information will fail to show up on screen) after June 30th. To fix this follow these instructions to update the code on your forms before June 30th, 2016. The update will provide the same warning message to users that they will not be able to make donations using old browsers as will display on standard Bloomerang forms.

Additional Information & References

PCI: Date change for Migrating from SSL and Early TLS

PCI 3.1: Stop Using SSL and Outdated TLS Immediately

Bloomerang Guide to updating Self-Hosted forms for Deprecated TLS

Wikipedia: Transport Layer Security

Ross Hendrickson

Ross Hendrickson

Co-Founder and CEO at Bloomerang
Ross Hendrickson is a co-founder and the CEO of Bloomerang. Prior to co-founding Bloomerang, he served as Product Manager for Bostech Corporation and later Avectra. He graduated with a B.S. in Economics & Engineering Science from Vanderbilt University.
Ross Hendrickson
By | 2017-06-10T18:23:48+00:00 June 21st, 2016|Life At Bloomerang, Product Updates|

Leave A Comment