PCI compliance and Cloudflare SSL

Learn how to configure Cloudflare to meet PCI scan requirements and understand what mitigations Cloudflare has in place for earlier versions of TLS/SSL.


Cloudflare maintains PCI DSS Level 1 compliance and has been PCI compliant since 2014.  Cloudflare does not manage PCI compliance for your site.  However, Cloudflare assists in meeting your PCI DSS requirements via use of our Web Application Firewall (WAF) that allows domains on Pro, Business, and Enterprise plans to meet PCI requirement 6.6.  Cloudflare is audited annually by a third-party Qualified Security Assessor (QSA). 

Both TLS 1.0 and TLS 1.1 are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic.

PCI standards recommend using TLS 1.2. Below, you can review our list of recommended Cloudflare SSL configurations for PCI compliance.  The PCI Security Standards Council provides an overview of the Data Security Standards and tools to assist you in validating your PCI compliance.

Also see what mitigations Cloudflare implements against vulnerabilities for TLS 1.0 and 1.1.

Recommended Cloudflare SSL configurations for PCI compliance

For Free, Business and Enterprise domains:

For Pro domains:

Set Minimum TLS Version to 1.2

To configure your Cloudflare domain to only allow connections using TLS 1.2 or newer protocols:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account for the domain.

3. Ensure the proper domain is selected.

4. Click on the Cloudflare SSL/TLS app.

5. Click the Edge Certificates tab.

5. Scroll to the Minimum TLS Version section.

6. Select TLS 1.2.

Cloudflare mitigations against known TLS vulnerabilities

There are several mitigations Cloudflare performs against known vulnerabilities for TLS versions prior to 1.2. For example, Cloudflare does not support:

  1. Header compression in TLS
  2. Header compression in SPDY 3.1
  3. RC4
  4. SSL 3.0
  5. Renegotiation with clients
  6. DHE ciphersuites
  7. Export-grade ciphers
Cloudflare supports TLS_FALLBACK_SCSV.

Cloudflare mitigations protect against several attacks:

  • RC4 Cryptographic Weaknesses
  • SSL Renegotiation Attack
  • Protocol Downgrade Attacks
  • LogJam
  • 3DES is disabled entirely for TLS 1.1 and 1.2 and Cloudflare implements mitigations for TLS 1.0

Cloudflare provides additional mitigations for:

  • Heartbleed
  • Lucky Thirteen
  • CCS injection vulnerability

Cloudflare has patched all servers against these vulnerabilities. Also, the Cloudflare WAF has rules to mitigate several of these vulnerabilities including Heartbleed and ShellShock.  

PCI scan warnings are often the result of a false positive.  If a PCI scan failure or reported vulnerability relates to the use of Cloudflare services, review the list below of common false positives and recommended configuration adjustments.  Documentation about a specific false positive allows your QSA or Approved Scanning Vendor (ASV) to remove the false positive from their vulnerability report.  Either inform your auditor of these common false positives or take the recommended actions below:

HTTP/2 and HTTP/1.1 Cleartext Detection (Paid Plans Only)

Use Cloudflare WAF rule 100015 to restrict connections to only port 80 and 443 if you aren't using other open Cloudflare ports. You can find WAF rule 100015 in the Cloudflare UI for your domain:

  1. Click the Cloudflare Firewall app.
  2. Click the Managed Rules tab.
  3. Click Advanced under the Cloudflare Managed Rules section..
  4. Enter 100015 in the search field and click Search.
  5. Set the Mode of rule 100015 to Block.

Once enabled, the additional Cloudflare ports are still open, but no data is sent to those ports as the WAF blocks the request with an HTTP 403 response.

Return Of Bleichenbacher's Oracle Threat (ROBOT)

Security scans that note the presence of ROBOT while on Cloudflare are a false positive. Cloudflare checks padding in real time and swaps to a random session key if the padding is incorrect.

Web Application Cookies Not Marked Secure

The Cloudflare cfduid cookie is used for security purposes and cannot be disabled. The cfduid cookie doesn't contain any confidential or sensitive information and is used to note whether a user has passed javascript challenges such as used by Under Attack Mode.

Sweet32 (CVE-2016-2183)

A vulnerability in the use of the Triple DES (3DES) encryption algorithm in the Transport Layer Security (TLS) protocol. Sweet32 is currently a proof of concept attack, there are no known examples of this in the wild.

Cloudflare has manually mitigated the vulnerability for TLS 1.0 in the following manner:

  • attacker must collect 32GB of data from a single TLS session
  • Cloudflare forces new TLS 1.0 session keys on the affected 3DES cipher well before 32GB of data is collected
If you are seeing errors about Sweet32 (CVE-2016-2183) in your PCI scans, set Minimum TLS Version to 1.2.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.