It’s becoming less and less safe to run older versions of web browsers. Older browsers don’t support the latest TLS versions, and by Summer 2016 websites which are trying to be PCI compliant will need to disable support for them. Update: The PCI Security Council are allowing merchants to certify that they are mitigating the risk until July 2018.
Being PCI compliant is a requirement for any website which accepts credit cards, though merchants can vastly simplify the process by using third party payment gateways who accept much of the burden of compliance.
SagePay removed support for SSL version 3 in June, rendering IE users on Windows XP no longer able to use their site to make card payments. This is only the first of many browsers to face the axe.
Older browsers didn’t support the newest versions of TLS (the protocol that secures your browser’s connections) when they were released, and some users still haven’t upgraded to new versions.
There are usually all manner of good reasons to upgrade your browser and many consumers will have opted into automatic upgrades; Microsoft, Apple, Google and Mozilla all have their own automatic upgrade paths.
This is generally good news for the market: newer browsers are safer, older browsers being deprecated quicker will keep consumers secure, and many new web technologies are only available in new browsers. The sooner that old versions of Internet Explorer et al are deprecated, the sooner designers can start to employ CSS Flexbox and proper responsive image support.
It’s not all good news though. There are two major classes of user who will be left out in the cold: mobile users and corporate users (including most educational users).
In the mobile world, Apple tend to support their devices for longer than most Android handset manufacturers – in fact, many popular handsets will ship with an already out-of-date version of Android and may never get an upgrade.
Google are attempting to fix this in two ways: the Android One program encourages the use of phones which are closer to the stock Android experience (and therefore easier to update) and is being marketed heavily in the developing world.
In the first world, the next nearest thing is the Chrome web browser which is distributed separately from the Android operating system. This means that even with an older Android device you can at least have many of the security improvements that a new device would have. Unfortunately a lot of users aren’t aware of this, and may have had the generic Android “Browser” browser or a branded third party web browser shipped as their default.
Both of these initiatives don’t solve todays problem though: there are already a lot of Android handsets running versions older than KitKat (4.4) which will lose the ability to connect to secure websites in the Summer.
The SEO and privacy trend of making sites SSL throughout is going to make this experience even worse – rather than being able to browse a store and then find out you can’t check out on your device, many users are going to go straight from a Google search to an error page saying the server has rejected their connection.
For different reasons, this is also going to be the case in the business and education markets – when people don’t control their own machines they are often left with an approved version of a browser that their IT department supports.
Very often, because of lining up with other Microsoft support periods, this is Internet Explorer. Worse, because of internal systems which may not have kept pace with the times, these users are sometimes forced into using an even older version. This is usually because of some critical internal application which hasn’t been updated to support newer browsers (or just isn’t “certified” to operate with them).
Microsoft isn’t silent in this though: it’s sending a strong message that IT departments are going to need to change. It’s slashing the support for Internet Explorer versions, starting in January 2016.
After this, IE7 and IE8 will no longer be supported. IE9 will only be supported on Vista, and all other desktop Microsoft OSes (7, 8 and 10) will only support Internet Explorer 11. This is massive news – Microsoft has taken seven years off the supported lifecycle for IE10, to send the message that sitting on an old version of a piece of software for a decade is no longer acceptable.
For merchants, there’s a race: PCI and related standards will force you to stop accepting old clients, while Microsoft and the whole web industry is trying to get them to update. Merchants will be the ones caught in the middle, with potentially unhappy customers contacting the merchant when they can’t complete their purchases.
About the only good news is, you’re not alone: with major card processors and even PayPal integrating these necessary changes, users stuck on older browsers will get the message: it’s not us, it’s you.