PCI DSS v3 and TLS v1.0
The issue
In PCI DSS v3.1, early TLS is no longer an example of strong cryptography or a secure protocol.
The PCI DSS v3.1 requirements directly affected are:
- Requirement 2.2.3 - Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
- Requirement 2.3 - Encrypt all non-console administrative access using strong cryptography.
- Requirement 4.1 - Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
Early TLS is not considered strong cryptography and cannot be used as a security control after 30th June, 2018. Prior to this date, implementations that use early TLS must have a formal Risk Mitigation and Migration Plan in place.
Effective immediately, stores must not use early TLS. We will leave TLS v1.0 enabled by default until 30th June 2018, after which, it will be mandatory for us to disable it.
The impact
A number of devices only support TLS v1.0 - and disabling it will result in the following devices being able to access any HTTPS area of your store.
- Android 2.3.7
- Android 4.0.4
- Android 4.1.1
- Android 4.2.2
- Android 4.3
- IE 6 / XP
- IE 7 / Vista
- IE 8 / XP
- IE 8-10 / Win 7
- IE Mobile 10 / Win Phone 8.0
- Java 6u45
- Java 7u25
- OpenSSL 0.9.8y
- Safari 5.1.9 / OS X 10.6.8
- Safari 6.0.4 / OS X 10.8.4
What you need to do
Customers wishing to stay PCI compliant need to either complete a Risk Mitigation plan, or request that we disable TLS v1.0 (by support ticket). Sonassi cannot assist in the production of a Risk Mitigation plan.
More information
You can find more information from the official notice here, https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf - or by contacting your QSA.