« previous next »
Pages: [1]

Author Topic: PCI compliance changes  (Read 2835 times)

jetboy

  • Inner Core
  • Sr. Member
  • *
  • Posts: 433
  • Hens of warfare!
    • View Profile
    • Email
PCI compliance changes
« on: April 27, 2015, 04:14:09 PM »
Earlier this month, the PCI Security Standards Council published an update (PCI DSS v3.1), deprecating TLS 1.0. The date for compliance is 30 June 2016. For new implementations, it's effective immediately. As I understand it, this means no taking card payments using this protocol and the earlier SSL protocols.

https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&association=pcidss

From what I can see, this update will block:

Android <= 4.3
IE 7-10 (so that'd be all IEs on Windows XP)
Java 6 & 7
OS X Safari < 7.1

all of which max out at TLS 1.0 by default (I think). I believe it is possible to get some older IEs to support later versions, but I don't think MS have pushed the change.

Am I reading this correctly? Does anyone have any insight?
« Last Edit: April 28, 2015, 01:59:54 PM by jetboy »
Logged

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9290
    • View Profile
Re: PCI compliance changes
« Reply #1 on: May 05, 2015, 04:13:54 PM »
I read that some payment gateways have already started refusing TLS 1.0 and of course SSL connections.

So in fairly short order, I think it will become very difficult to buy things online from a Windows XP machine, but IE8 isn't dead yet - in theory it can be set to support TLS 1.1 and 1.2.


The massive chart here is pretty amazing
http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers


That said, I would guess 99% of people on IE8 are on it because it's as high as they can go on Windows XP

Logged

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9290
    • View Profile
Re: PCI compliance changes
« Reply #2 on: May 05, 2015, 04:15:09 PM »
Logged

jetboy

  • Inner Core
  • Sr. Member
  • *
  • Posts: 433
  • Hens of warfare!
    • View Profile
    • Email
Re: PCI compliance changes
« Reply #3 on: May 05, 2015, 04:42:26 PM »
Quote
...it will become very difficult to buy things online from a Windows XP machine

Or even browse HTTPS websites if it becomes commonplace to leave out TLS 1.0 by default, regardless of PCI.

If I were a tin-foil hat type, I'd suggest that this PCI change, combined with browser makers and search engines (hinting about) rewarding HTTPS websites, was a concerted effort to eradicate older web browsers.
Logged
Pages: [1]
« previous next »