PCI-DSS 3.1 Security standard

The PCI-DSS organization is the public organization charged with creating the standards that dictate the types of encrytion that sites can use when they switch encrypted "https" pages. On April 15, 2015, PCI-DSS released a new set of security standards: PCI-DSS v3.1.

The most important change in this v3.1 standard is the prohibition on using an encryption protocol called TLS 1.0. Since earlier PCI-DSS standards have already forbidden the use of many older protocols, TLS 1.0 is last remaining protocol available by default for many Internet Explorer users:

  • TLS 1.0 is the only remaining protocol available to users of IE8 on Windows XP
  • TLS 1.0 is the only remaining protocol available to users of IE9 on Windows Vista
  • TLS 1.0 is the default protocol for users of IE8, IE9 and IE10 on Windows 7 although users can manually enable the more secure TLS 1.2 protocol

(More details on protocols supported by each browser are available here: http://en.wikipedia.org/wiki/Transport_Layer_Security)

 

The impact of disabling TLS 1.0 is potentially very large and could result is lost business:

  1. Users of IE8 on Windows XP and users of IE9 on Vista would no longer be able to access the payment pages of your site at all
  2. Most users of IE9 and IE10 on Windows 7 would no longer be able to access the payment pages of your site. Only those users that had manually enabled TLS 1.2 would have access.

The only escape hatch in this new PCI-DSS v3.1 standard is that the rules allow your existing site a grace period (through June 30, 2016) to continue offering TLS 1.0, provided that you prepare and file a risk mitigation plan. Your Printers Website will continue to support use of the TLS 1.0 protocol until the end of the grace period on June 30, 2016.

If your site is periodically scanned by an Approved Scanning Vendor (ASV) such as Trustwave or SecurityMetrics, your site will fail scans performed after April 15. In order to pass the scan, you must contact your ASV and do the following:

  1. File a risk mitigation and migration plan with your ASV
  2. Request a scan "exception" for your site from your ASV

Here is a template for risk mitigation plan offered by Trustwave:

https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-Template/