Today I get a frantic message from this person that their browser says the site is insecure and refuses to load it. They cannot access their order information or process payments.
This person is runs a small (franchised) business. But they are worried about the security of the system that they are using.
I put in the URL for the POS system into the ssllabs.com tests and sure enough, it scores an "F", runs TLS 1.0, etc.
What makes matters more complicated is that there has been some chargeback fraud happening. It is probably unrelated to this, but it makes one wonder.
Given that there are PCI considerations, is there any recourse as a franchisee to something like this? They could refuse to use the system, but are afraid of losing orders or being accused of some franchise agreement breach.
My advice so far has been to yell as loud as possible, provide documentation, make as much noise as possible, and use cash/check/PayPal to process payments until the provider get the issue resolved. The provider was frustrated that this person wouldn't just use Internet Explorer, since that's what they suggest everyone else to do.
Any advice here? What would you do?
None of the providers would disable TLS v1.0/1.1 and won't say when they will.
Also realize that some enterprise security products are also starting to block or throw warnings due to the host having old SSL/TLS protocols enabled.
Start looking at other POS systems immediately if possible. If that system's owners do not take security seriously, ditch them.
One option, which would likely hurt your friends business, is to go public about that entire franchise using insecure payment systems.
Put an ATM in the lobby/outside and go cash only.