6

We have a significant portion of sales still coming in from users using browsers that do not yet support TLS 1.1+. We also have demands from our payment processors to stop supporting TLS 1.0 for PCI compliance.

My question is this:

Is it considered PCI compliant if your server still supports TLS 1.0 but you don't allow users using it to purchase and submit personal or credit card info.

The flow would go like this:

  1. User visits website and tries to purchase product

  2. Apache server would look at SSL_PROTOCOL and check to ensure the user isn't using TLSv1

  3. If user is using TLSv1, we would inform the user in a friendly way that they need to upgrade their browser to complete their purchase, or call us at our office to help them complete the purchase.

  4. If a user is using TLSv1.1+, we would let them go about their business.

The idea here is that if we just remove TLS 1.0 users using browsers that only support that will get a browser error page and not a nice page informing them of the problem from our website.

My question boils down to: Does PCI compliance require the server itself not support TLS 1.0, or does it only require you've mitigated the ability for personal data to be transmitted via TLS 1.0

Thanks for the advice, SO'ers.

jimmy0x52
  • 161
  • 1
  • My guess is if your payment processor has asked you to drop support for TLS 1.0, you won't be able to get away with anything less. Even if your scheme is technically PCI compliant. – DepressedDaniel Dec 03 '16 at 00:52
  • Now image somebody exploited a flaw in TLS1.0 and displayed a fake credit card form to your users. Do you think your site is still PCI compliant? – billc.cn Dec 06 '16 at 19:05
  • So the front-end form page itself can't use TLS 1.0 even if, upon clicking the button, the data is transmitted to an API directly that only supports TLS 1.1+? – jimmy0x52 Dec 06 '16 at 20:15

2 Answers2

6

No CHD over TLS 1.0

The core requirement as explicitly listed in PCI DSS is that cardholder data (CHD) must be securely encrypted in transit, not about particular configuration of servers. TLS 1.0 is not considered as appropriate to consider the channel securely encrypted, but even totally unencrypted channels can be used by in-scope systems if there is a valid reason and sensitive data isn't sent over them, as in your example.

The fact that your server supports TLS 1.0 will show up on reviews/scans and will raise questions, but IMHO the auditor would accept your proposed dataflow, you'd just have to file this description and explanation during the audit.

Do note that a particular institution or payment processor may also have slightly different requirements in addition to what a PCI DSS compliance audit requires.

Peteris
  • 8,369
  • 1
  • 26
  • 35
1

IANAQSA but I'm pretty sure you can put the 'pay' part of your shop on a separate server -- which many merchants already do just to reduce PCI scope -- then let customers connect to the 'LOOK! AT! SUPER! FEATURES!' pages with TLS1.0 or even plaintext if you want, but warn them they can't buy (at least with payment card). For the actual payment you redirect up-to-date customers to a server that enforces at least 1.1, and you (or the processor) can get a standard ASV scan on that server.

dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28