On July 1, 2018, the PCI Data Security Standard (PCI DSS) for safe processing of payment data will not allow the TLS 1.0 protocol, which is no longer considered secure, and will no longer meet PCI DSS requirements for ‘strong cryptography’. There are many vulnerabilities in SSL/early TLS that can put your organization at risk of being breached. Below are several FAQs to help explain how this may impact your brand. Additional details can be found here as well.
What does this change mean for your Olo POS integration?
As part of your online ordering solution, Olo installs a “POS agent” service on your in-store Point of Sale (POS) server in order to communicate with Olo servers for order transmission and the synchronization of certain menu information.
Ahead of the PCI DSS deadline, Olo is providing free TLS 1.2 security protocol upgrade versions for all Olo in-store POS agents. The in-store POS integration software has been upgraded with several enhancements to help maintain your POS integrated digital ordering solution, including improved reconnection and version checking logic, better metrics collection, and smoother error handling.
Moving forward, new feature development will continue only for these updated, secure POS agents. Olo will maintain connectivity support for older agents already installed at store locations but highly recommends that these agents be replaced with the updated versions as soon as possible. New PCI security assessments are likely to require the disabling of TLS 1.0, which would disable older Olo agent communications.
New POS agent versions have been thoroughly tested and are backward compatible with all features and configurations. Upgrading can be done quickly and easily using the Olo dashboard, and once set to a new version, stores can upgrade automatically typically in a few minutes.
Beyond this specific upgrade, Olo works constantly to improve our POS agents for all system integrations, and we recommend checking the Olo Dashboard periodically to make sure your stores are kept updated with free updates to the latest Olo versions marked for General Release.
Will the new Olo POS agent versions run in any in-store environment?
Some operating system requirements may apply. These more secure in-store POS agents will require the .NET framework version 4.5.2 or higher (.NET 4.6 or higher recommended). The TLS 1.2 secure agents will not run properly on the Windows XP operating system. Olo highly recommends that any Windows XP environments be replaced as soon as possible for the security of your in-store environment.
Do I have to upgrade my stores?
Olo POS agents upgrades are optional. While Olo highly recommends that you do, for both security and stability benefits as well as gaining the benefits of any new feature development, but Olo does not require that you take this action. Ultimately it is at the discretion of your organization and the PCI DSS requirements you intend to observe. The new agent is however required if you plan to disable TLS 1.0 for all outbound traffic at the OS level. You may upgrade these at your discretion using these steps.
Does the Olo agent transmit or store cardholder data?
No, most QSAs consider the Olo agent to be out of scope for both PCI-DSS and PA-DSS, as it does not store, process or transmit cardholder data. However, the agent is typically installed on a computer that falls within PCI scope. As such, it is subject to any computer-wide restrictions that have been enforced - for example, if early SSL/TLS versions are disabled in the registry.
Is upgrading my Olo POS agent required for PCI compliance?
Not necessarily. The Olo POS agent does not store, process, or transmit cardholder data, and most QSAs, therefore, consider the Olo agent to be out of scope for both PCI-DSS and PA-DSS.
However, if TLS 1.0 is disabled at the Operating System level for the in-store environment, and you have an older Olo POS agent installed that relies on TLS 1.0, it will break your Olo integration. The store will go offline until an updated POS agent is installed.
It's highly recommended you upgrade the Olo agent before TLS 1.0 is disabled so that the auto-upgrade can be set from the Olo Dashboard. After TLS 1.0 is disabled, the upgrade will have to be done manually.
Does upgrading my Olo POS agent make my POS in-store environment PCI compliant?
Olo cannot certify your PCI compliance status. The overall status of your in-store PCI compliance must be reviewed by a Qualified Security Assessor (QSA). The upgraded security of the Olo POS agent installed in-store is ultimately a small piece of your overall data security puzzle.
What is SSL/early TLS?
Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.