Client support vs PCI 3.1 Compliance

Back in December 2015 the Payment Card Industry Security Standards Council (PCI SSC) agreed it was time to start disabling support for old and insecure SSL protocols.

TLS 1.0 needs to be switched off before the 30 June 2018.

While many of the old SSL protocols have been disabled now due to vulnerabilities such as POODLE and Heartbleed this will be the first time a protocol has been disabled that is still being used by some old browsers without a known vulnerability.

A large number of older clients will break when you disable TLS 1.0, including:

• Android 4.3 and older
• Internet explorer 10 and older
• Java 7 and older
• Safari 5.1.9 / OS X 10.6.8
• Safari 6.0.4 / OS X 10.8.4

We recommend you look at your analytics and see how many customers will be affected before making this change.

If you are in a position where you cannot disable TLS 1.0 yet, there are alternatives, your PCI provider will accept a plan to defer this work up to the 30 June 2018. Another solution could be separating your checkout pages from your website, this way older browsers can still browse most of you site.

Check out the PCISSC blog post for further reading.

Are you are concerned about disabling TLS 1.0? Running into PCI compliance issues? Unhappy with your site security? Drop us a message and see how we can help you.

Feature image made by costculculator licensed CC BY 2.0.