rob
In April 2015, The PCI Security Standards Council released version 3.1 of its “Requirements and Security Assessment” procedures.
The new document, which has outlined the minimum security standards for online stores since 2008, will be familiar to any ecommerce business processing card payments via their website.
In the aftermath of recent SSL vulnerabilities, mainly the BEAST and CRIME exploits, the way in which your server processes HTTPS requests is now under scrutiny.
The good ol’ trusty lock symbol you see in your browser’s address bar when you access a secure page, is no longer an indication your data is encrypted to the new PCI standards.
I have a SSL certificate, does this still affect me?
Yes.
When you visit a “secure” page on the internet using HTTPS, the method in which the data you send and receive is encrypted will depend on your operating system, and browser.
If you’re using the most up-to-date version of Google Chrome, then most likely your request uses the secure TLSv1.2 protocol. However, if you’re using an older version of Opera or Internet Explorer, you may be using a potentially weaker protocol such as SSLv2.
What’s new in PCI 3.1?
The latest round of requirements in the PCI DSS document state the following;
SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016.
The SSLv2, SSLv3 and TLSv1.0 protocols are all now considered non-compliant, and if your site is subject to a regular PCI DSS scan, and you still support these protocols, you will see these issues being raised very soon.
How the browsers stack up
What’s most worrying about the new standards, is how far behind browser support is for the new PCI compliant protocols.
At some point soon, you’re going to have to make a very difficult decision: Do I comply with the PCI guidelines even if this means losing customers who use older browsers?
Quite simply, by disabling TLSv1.0, any customers using one of the following browsers would not be able to access the secure pages of your website;
| Browser | Oldest version not to support TLSv1.1 |
|---|---|
| Google Chrome | 22.00 |
| Google Android OS Browser | Android 5.0 |
| Mozilla Firefox | 24.00 |
| Microsoft Internet Explorer | 10.00 |
| Microsoft Internet Explorer Mobile | 10.00 Mobile |
| Opera | 9.00 |
| Apple Safari | 7.00 |
| Apple Safari mobile | iOS 5 |
| Google Chrome | 22.00 |
| Google Chrome | 22.00 |
That’s right folks, to remain PCI compliant users on browsers as late as Internet Explorer 10 will no longer be able to access your site. Eeek!
How to disable non-PCI protocols
If you’re not on managed hosting, configuring your webserver to only accept TLSv1.1 or above is quite straight forward. On Apache 2.4 for example, simply remove unwanted protocols using the ‘-‘ option in your config directive;
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
We hope this helps! If you’re unsure of your website’s current setup and whether you might be falling foul of the new PCI guidelines, try the handy tool over at SSL Labs.
CC Images by Perspecsys Photos and Andreas Åkre Solberg
Bruce Orrock
Tamsin Spargo
Gill Fernley
Rob, thanks for useful information!