Is your ecommerce site ready for the new PCI Data Security Standards?

11406965045_b520282906_m
If you process card payments, read on…

In April 2015, The PCI Security Standards Council released version 3.1 of its “Requirements and Security Assessment” procedures.

The new document, which has outlined the minimum security standards for online stores since 2008, will be familiar to any ecommerce business processing card payments via their website.

In the aftermath of recent SSL vulnerabilities, mainly the BEAST and CRIME exploits, the way in which your server processes HTTPS requests is now under scrutiny.

The good ol’ trusty lock symbol you see in your browser’s address bar when you access a secure page, is no longer an indication your data is encrypted to the new PCI standards.

I have a SSL certificate, does this still affect me?

Yes.

When you visit a “secure” page on the internet using HTTPS, the method in which the data you send and receive is encrypted will depend on your operating system, and browser.

If you’re using the most up-to-date version of Google Chrome, then most likely your request uses the secure TLSv1.2 protocol. However, if you’re using an older version of Opera or Internet Explorer, you may be using a potentially weaker protocol such as SSLv2.

What’s new in PCI 3.1?

The latest round of requirements in the PCI DSS document state the following;

SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016.

The SSLv2, SSLv3 and TLSv1.0 protocols are all now considered non-compliant, and if your site is subject to a regular PCI DSS scan, and you still support these protocols, you will see these issues being raised very soon.

How the browsers stack up

Internet Explorer breaks the internet. Again.
Internet Explorer breaks the internet. Again.

What’s most worrying about the new standards, is how far behind browser support is for the new PCI compliant protocols.

At some point soon, you’re going to have to make a very difficult decision: Do I comply with the PCI guidelines even if this means losing customers who use older browsers?

Quite simply, by disabling TLSv1.0, any customers using one of the following browsers would not be able to access the secure pages of your website;

Browser Oldest version not to support TLSv1.1
Google Chrome 22.00
Google Android OS Browser Android 5.0
Mozilla Firefox 24.00
Microsoft Internet Explorer 10.00
Microsoft Internet Explorer Mobile 10.00 Mobile
Opera 9.00
Apple Safari 7.00
Apple Safari mobile iOS 5
Google Chrome 22.00
Google Chrome 22.00

That’s right folks, to remain PCI compliant users on browsers as late as Internet Explorer 10 will no longer be able to access your site. Eeek!

How to disable non-PCI protocols

If you’re not on managed hosting, configuring your webserver to only accept TLSv1.1 or above is quite straight forward. On Apache 2.4 for example, simply remove unwanted protocols using the ‘-‘ option in your config directive;

SSLProtocol All -SSLv2 -SSLv3 -TLSv1

We hope this helps! If you’re unsure of your website’s current setup and whether you might be falling foul of the new PCI guidelines, try the handy tool over at SSL Labs.

CC Images by Perspecsys Photos and Andreas Åkre Solberg

rob

Web developer at Copify

One thought on “Is your ecommerce site ready for the new PCI Data Security Standards?

Leave a Reply

Your email address will not be published. Required fields are marked *