Posts

Client support vs PCI 3.1 Compliance

Back in December 2015 the Payment Card Industry Security Standards Council (PCI SSC) agreed it was time to start disabling support for old and insecure SSL protocols.

TLS 1.0 needs to be switched off before the 30 June 2018.

While many of the old SSL protocols have been disabled now due to vulnerabilities such as POODLE and Heartbleed this will be the first time a protocol has been disabled that is still being used by some old browsers without a known vulnerability.

A large number of older clients will break when you disable TLS 1.0, including:

  • Android 4.3 and older
  • Internet explorer 10 and older
  • Java 7 and older
  • Safari 5.1.9 / OS X 10.6.8
  • Safari 6.0.4 / OS X 10.8.4

We recommend you look at your analytics and see how many customers will be affected before making this change.

If you are in a position where you cannot disable TLS 1.0 yet, there are alternatives, your PCI provider will accept a plan to defer this work up to the 30 June 2018. Another solution could be separating your checkout pages from your website, this way older browsers can still browse most of you site.

Check out the PCISSC blog post for further reading.

Are you are concerned about disabling TLS 1.0? Running into PCI compliance issues? Unhappy with your site security? Drop us a message and see how we can help you.

Feature image made by costculculator licensed CC BY 2.0.

Privacy

Data Privacy Day 2016

Today is Data Privacy Day! It’s been taking place annually on the 28th of January since 2007, and this year is no different. As you may have worked out already, data privacy day is all about protecting and maintaining your privacy, especially in the online world. One of the main focuses of the day is raising awareness of data protection requirements and best practices, so we thought we’d talk about some organisations and laws that help to do so.

Summary

  • If you’re a UK business and store any customer information, you need to register with the ICO
  • If a user types payment card information into your website, you are required to be PCI DSS compliant

Data Controllers & The ICO

The Information Commissioners Office (ICO) is interested in upholding rights with regards to information and does so in the public interest. It keeps track of businesses that are storing personal information (data controllers), deals with enquiries and complaints, and encourages bodies to comply with particular laws such as the Freedom of Information Act and the Data Protection Act.

The Data Protection Act stipulates that “every organisation processing personal information” must register as a data controller with the ICO (unless you are exempt), so make sure you do so if this applies to you! The responsibilities of a data controller cover things such as making sure you’re not holding onto data for longer than necessary, and that you are only recording information for the reasons specified to the ICO upon registering as a data controller.

The ICO can also provide you with help and advice on ensuring you’re upholding your responsibilities as a data controller. We highly recommend filling out the self assessment provided by the ICO to help you determine if you need to register with them.

PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS), and compliance is all about certifying that your company is handling payment card data in a safe and secure manner. It’s purpose is to try and improve the security of the online payment process, at the benefit of both the merchant and consumer.  If your website or application accepts, transmits or stores payment card information, then you must be PCI DSS compliant.

There are different levels of compliance which you must meet depending on how many payments you process and the way in which you do so. If you’re using a payment gateway, such as SagePay or PayPal, which redirects users to an external page, then you probably only need to to fill out a self-assessment questionnaire to gain compliance. You can find that questionnaire here.

If you don’t meet the standards, then you’re leaving yourself open to the possibility of very hefty fines and damage to your brand image. Setting up and securing your servers to aid in meeting the standards is something that we at Dogsbody Technology are perfectly suited to, so please get in touch if you have any questions or think that we can help!

Feature image by g4ll4is under the CC BY-SA 2.0 license.