Tag Archives: web development

Is your ecommerce site ready for the new PCI Data Security Standards?


If you process card payments, read on…

In April 2015, The PCI Security Standards Council released version 3.1 of its “Requirements and Security Assessment” procedures.

The new document, which has outlined the minimum security standards for online stores since 2008, will be familiar to any ecommerce business processing card payments via their website.

In the aftermath of recent SSL vulnerabilities, mainly the BEAST and CRIME exploits, the way in which your server processes HTTPS requests is now under scrutiny.

The good ol’ trusty lock symbol you see in your browser’s address bar when you access a secure page, is no longer an indication your data is encrypted to the new PCI standards.

I have a SSL certificate, does this still affect me?


When you visit a “secure” page on the internet using HTTPS, the method in which the data you send and receive is encrypted will depend on your operating system, and browser.

If you’re using the most up-to-date version of Google Chrome, then most likely your request uses the secure TLSv1.2 protocol. However, if you’re using an older version of Opera or Internet Explorer, you may be using a potentially weaker protocol such as SSLv2.

What’s new in PCI 3.1?

The latest round of requirements in the PCI DSS document state the following;

SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016.

The SSLv2, SSLv3 and TLSv1.0 protocols are all now considered non-compliant, and if your site is subject to a regular PCI DSS scan, and you still support these protocols, you will see these issues being raised very soon.

How the browsers stack up

Internet Explorer breaks the internet. Again.

Internet Explorer breaks the internet. Again.

What’s most worrying about the new standards, is how far behind browser support is for the new PCI compliant protocols.

At some point soon, you’re going to have to make a very difficult decision: Do I comply with the PCI guidelines even if this means losing customers who use older browsers?

Quite simply, by disabling TLSv1.0, any customers using one of the following browsers would not be able to access the secure pages of your website;

Browser Oldest version not to support TLSv1.1
Google Chrome 22.00
Google Android OS Browser Android 5.0
Mozilla Firefox 24.00
Microsoft Internet Explorer 10.00
Microsoft Internet Explorer Mobile 10.00 Mobile
Opera 9.00
Apple Safari 7.00
Apple Safari mobile iOS 5
Google Chrome 22.00
Google Chrome 22.00

That’s right folks, to remain PCI compliant users on browsers as late as Internet Explorer 10 will no longer be able to access your site. Eeek!

How to disable non-PCI protocols

If you’re not on managed hosting, configuring your webserver to only accept TLSv1.1 or above is quite straight forward. On Apache 2.4 for example, simply remove unwanted protocols using the ‘-‘ option in your config directive;

SSLProtocol All -SSLv2 -SSLv3 -TLSv1

We hope this helps! If you’re unsure of your website’s current setup and whether you might be falling foul of the new PCI guidelines, try the handy tool over at SSL Labs.

CC Images by Perspecsys Photos and Andreas Åkre Solberg

We ♥ IE6

We’re constantly deploying new features to Copify.

Some are small updates that users are unlikely to notice. Others, where changes to the user interface are involved, require a bit more care and attention to make sure things are hunky-dory when it comes to cross-browser compatibility.

Let’s face it – the Internet is a mess. There are so many different browsers and devices, ensuring that your web-app works on all of them can be a bit of a minefield.

Thankfully, most modern browsers play nice, and all render HTML & CSS pretty much the same way.

Oh wait, no. They don’t. Do they, Bill?

Many agencies and web developers have fought hard for a long time to “convert” as many people as possible away from Internet Explorer, and with recent stats on browser usage it looks like it’s not all been in vain.

However, we still have a significant number of visitors using older versions of Internet Explorer (mainly IE6 and IE7) causing us headaches. One of the biggest headaches is testing.

If you’re on a Mac, or running Windows 7, you can’t just download IE6 and see how your site looks. You’re going to need XP.

In this post I’m going to show you how we use a virtual machine to test these older pesky browsers.

All you need is Windows 7 and a few gig disk space going spare.

Ready? You were born ready!

Windows Virtual PC

Head over to Microsoft’s website and download Windows Virtual PC. You don’t need “XP mode” so you can skip this if you like, just make sure that you select the correct version of Virtual PC for your machine and operating system.

Make sure you get the correct version 32bit V 64bit

Once the download has finished, have a bash at installing. You’ll figure it out.

Windows Virtual PC VHD

Next, you need to download the Windows Virtual disk image to run.

I need to test IE6 and IE7 on Windows XP so I download the package called “Windows_XP_IE6.exe”.

Take the mouse in your hand and click the thing that says “Download”

The disk image comes with Windows XP and IE6, and also the installation files for IE7.

However, once you’ve installed IE7 you can’t run IE6 again. So make a copy of the first image, rename it and use this for IE7.

Make a copy if you need to use both IE6 and IE7 regularly

Fire up Windows Virtual PC

First off, select which image you want to run.

Right click on the Windows XP VMC and enter “Settings“. From here you can choose which image to use. Change the setting for “Hard Disk 1″ and browse for your disk image.

Choose which disk image to run

Login issue

As with many Microsoft products, there is some kind of annoying, inexplicable problem with its use. In this case, it’s the fact you are presented with an impenetrable login form.

To get round this, choose “Disable Integration Features”. No idea what this does, but it gets you to login screen that works!

Disable this to get to the normal login

You can now login with the username “IE User” and the password “Password1“.

Password is case sensitive! Bless.


You’ve now traveled back in time and are about to experience the wonders of 1990’s web browsing. I suggest playing some classic Nineties pop tunes  while you test to get the the full effect.

OK let’s Brogram this Mother until all the horribleness is gone. Done? Great!

Probably losing £££s because of this, but it’s too funny to care

We’ve made our fixes to ensure IE6 users get the best browsing experience, and we’re now ready to do the same for IE7.


If you never wish to use IE6 ever again in your life (highly likely) then just run the IE7 install.

Unfortunately for me I may have to revisit good ol’ IE6, so I just reconfigure Virtual Machine to use the image copy I made earlier. I’ve renamed them so I know which is which.

Choose the IE7 image this time

Again, work your magic and fix all the nasty codez with some CSS hacks.

If like us, you’re using Git (What? You’re not using Git? Why not?) this is a good time to commit your changes and wave and scream at your boss, hinting you’ve made your website look great for pensioners and public sector workers across the country.

Commit your changes. Feels good.

Having problems following this guide? Tweet now or forever hold your forever hold your peace.