PCI 3.1 and TLS 1.2

UPDATE: 25 APR 2016

The dates published in Dec 2015 by the Payment Card Industry Security Standards Council will be included as a part of the PCI DSS 3.2 specification. More about this can be read here.


UPDATE: 18 DEC 2015

The Payment Card Industry Security Standards Council has revised their original sunset date for SSL and early versions of TLS. The revisions state:


  • All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016.
  • Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater. TLS 1.2 is recommended.
  • All entities must cutover to use only a secure version of TLS (as defined by NIST) effective 30 June 2018.

The full announcement can be read here and an formal update to the PCI DSS v3.1 requirements will be made in 2016.

Our original KB article can be read below.

 

“SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control after June 30, 2016.” – PCI Security Standards Council

The newest revision of the PCI Security Standards Council policy, PCI-DSS 3.1, establishes a new baseline for strong cryptography, specifically TLS (formerly SSL), required to secure payment card related traffic – TLS 1.2.

This change must be adopted by sites which handle payment card data no later than 30 June 2016.  According to the PCI Council FAQ: "The successor protocol to SSL is TLS (Transport Layer Security) and its most current version as of this publication is TLS 1.2," according to the FAQ. "TLS 1.2 currently meets the PCI SSC definition of “strong cryptography”.    While PCI is specific to payment card information, the PCI guidelines also are used by sites in general for security guidance.
 
No version of SSL (SSL 3.0 and earlier) is considered "strong cryptography" for the purposes of protecting customer data, but Cloudflare has not supported SSL 3.0 since October 2014, due to the POODLE vulnerability.  (see https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/)  For Cloudflare customers, the primary impact of PCI 3.1 is that TLS 1.0 and TLS 1.1 are also insufficient to secure payment card related traffic.
 
The PCI DSS v3.1 requirements directly affected are:
  • Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons considered insecure.
  • Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
  • Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
Both TLS 1.0 and TLS 1.1 have known weaknesses which make them less than ideal for protecting information, although substantially stronger than SSL 3.0.  TLS 1.0/TLS 1.1 are widely used today, protecting a substantial fraction of encrypted web traffic. Cloudflare is committed to the encrypted web while also ensuring sites are accessible to the greatest number of web browsers possible, so we intend to balance these concerns.

As a result of the PCI 3.1 changes, Cloudflare has implemented a transition plan to migrate traffic toward TLS 1.2 in advance of the PCI Council requirements.

1) We are monitoring browsers and traffic to track the percentage of TLS 1.0+1.1 traffic relative to the total volume of encrypted traffic.  In October 2014, this traffic was approximately 30% of all encrypted traffic on Cloudflare's network.  In February 2015, this traffic was less than 22% of all encrypted traffic on Cloudflare's network.

2) We have implemented a "TLS 1.2-only" flag to allow sites to restrict their content to be served with TLS 1.2 protection only.  This functionality is available to customers on Business and Enterprise plans only. In addition, customers are required to have custom SSL certificates or Dedicated Certificates (both with and without custom hostnames).

To find out more about this, please see: How to use Cloudflare's TLS 1.2-only feature

3) We are engaging with the PCI Council and we are actively supporting enterprise customers and their auditors with PCI audit TLS related questions.

We expect the majority of encrypted web traffic will upgrade to TLS 1.2 before the 30 June 2016 deadline for PCI.  We believe the level of adoption of TLS 1.2 will rapidly increase based on the new PCI guidance, and if this happens, it will be feasible for an increasing number of sites to go "TLS 1.2-only" as the 30 June 2016 deadline approaches.   If the level of TLS 1.2 browser adoption is insufficient to allow customers to switch entirely to TLS 1.2-only by the deadline, we are exploring alternatives.  We will release more information on TLS 1.2 adoption as well as any updates to the encryption options available to Cloudflare customers on an ongoing basis.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk