All months leading up to June of 2016 are going to be pretty important in the e-commerce landscape. PCI DSS 3.1 has come down and compliance is no longer a matter of looking the other way. You need to be compliant or risk fines and penalties that cannot be offset by gains without it. Your ability to accept credit cards might will be at risk.
The industry has had enough of fraud and leaky, poorly built and maintained (maintenance is a key part of this you should be thinking about) websites. They want compliance and are extremely serious about it.
There are a lot of hoops to jump through with compliance. It has also crept up so steadily in the last 15 years that many people don’t even actively think about it. Did I mention that you need to? Yes, you do. Stop messing around. You will need some money to make yourself compliant, or at least prove that you are and, if not, that you are doing something about it.
But this is not about that major process. You will need to discuss compliance with your IT department or…well, you can ask me and I can point you in the right direction. You will need some money. Don’t have it? Find it. This is serious business now.
Back to the story:
Why this is important: when you disable TLS 1.0, a significant number of people visiting your site may no longer be able to connect to it and you can’t even tell them why.
Various flavors of Microsoft Windows have various flavors of Internet Explorer and a surprising number of people and organizations use it. Governments, schools, professional services companies like law firms and accounting firms all have run IE through security and liability testing and, for many, are still on IE 10, or lower. There are also tens of thousands of people with their home machines still running Windows XP, Vista, and even Windows 7 with IE 10 and below.
Ouch.
Why? Because one of the security constraints of PCI DSS 3.1 is making sure that a security protocol and some corresponding ciphers are turned off by June 2016 (or, actually, right now). One of the major protocols is called TLS 1.0.
There exists TLS 1.1 and TLS 1.2, both of which are fine.
The only problem is that most IE 10 configurations either cannot support TLS 1.1 and 1.2 entirely, or need to be configured by the end user. Alternatively, they can use the latest versions of FireFox and Chrome.
Here’s a quick list of browsers that need to be configured, and then a quick lesson on how to do it.
- Windows 10, Server 2016, and newer
- Internet Explorer 11
- Edge
- Windows 8.1 and Server 2012 R2
- Internet Explorer 11
- Windows 8 and Server 2012
- Internet Explorer 10
- Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 10
- Enable TLS 1.1 and TLS 1.2 using Active Directory group policies
- Internet Explorer 10
- Windows 7 and Server 2008 R2
- Internet Explorer 11
- Internet Explorer 10
- Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 10
- Enable TLS 1.1 and TLS 1.2 using Active Directory group policies
- Internet Explorer 9
- Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 9
- Enable TLS 1.1 and TLS 1.2 using Active Directory group policies
- Internet Explorer 8
- Cannot update
- Windows XP, Vista, Server 2008, Server 2003, and earlier
- Internet Explorer 9 – cannot update
- Internet Explorer 8 – cannot update
- Internet Explorer 7 – cannot update
- Internet Explorer 6 – cannot update
How to enable it in browsers than can be configured to do so:
- Open IE and go to Tools. At the bottom of the menu is Internet Options
- Click the Advanced Tab, then scroll all the way to the bottom. Check the boxes where it says TLS 1.1 and TLS 1.2, then click Ok. Restart your machine for good measure.
If you are a site owner and wondering what to do next, or now, the best thing you can do is start a conversation with your developer. If they tell you not to worry about it then find another developer who will take it seriously. A word of caution: ignorance is common place in developer world. Some developers are very conscientious and highly skilled, but simply do not know or think compliance was or is a big deal. This is how it has been for a very long time and there is no surprise there. However, from this day forward you need to insist that they not only learn and follow best practices, but also prove it. It is your money at stake here, not their reputation, so protect your money.
I try and keep this site on the personal side, but in this case please do post questions if you have them. It’s part of my day job to build websites. Maybe my company can help you. If not, I can point you in the right direction.
Good luck.