PCI Compliance with SSL 2.0, SSL 3.0, and TLS 1.0

Robin L Zwirtz Wednesday January 27 2016

Don't know if you have heard all the hubbub about SSL 2.0 / SSL 3.0 / TLS 1.0 being deprecated, but it will no longer be in PCI compliance after June 30th, 2018. Good article on it here:

http://www.lexiconn.com/blog/2015/12/pci-council-pushes-back-tls-1-0-end-of-life-date-to-june-2018/

Originally, it was to be deprecated by the PCI council on June 30th, 2016. Another good article here:

http://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

The official push back on the end of life date is here:

http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

The reason for the delay is that there are still older browsers and devices in circulation that only support TLS 1.0, so disabling support will stop these devices from placing orders.

Browser and device support can be seen here:

https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers

BirdDog's issue is that only Microsoft .Net 4.0 and later support TLS 1.1. So, as long as you are running 9.6.4 or later (where we converted to .Net 4.0 for all applications) you should be fine. However, all versions before that will not be.

On top of that, all web sites are in a mad rush to remove TLS 1.0, so even if you aren't doing credit cards, you could still be impacted. For example, UPS and FedEx are expected to take down TLS 1.0 in June of this year, which will impact our ability to rate freight with older software.

Recommended Action:

  • Make sure you are running version 9.6.4 or later of all BirdDog applications.
  • Consider disabling SSL 2.0, SSL 3.0, and TLS 1.0 on your web server.