SSL and TLS

From NewHaven Software Wiki

Jump to: navigation, search

Much was made in 2015 about the vulnerabilities of SSL and early versions of TLS as a secure means of establishing a connection between a web server and a browser. The greatest area of concern on this front for our clients has been the related impact and requirements for PCI compliance, particularly the 2016 deadline which was subsequently moved to June 2018.

Thankfully, as far as CMS is concerned, there isn't much to worry about since CMS does not use your browser. CMS TEN (10.0.x) has also been validated as compliant against the PA-DSS 3.0 standard which ensured the CMS was not requiring the use of insecure protocols and is compatible with the use of secure protocols. You can find CMS on the PCI Council's site in their list of validated payment applications. (TIP - search by Application Name for 'CMS - Commerce Management System')

While CMS does enforce/require secure connections be made when credit card data may be passed, CMS is not specifying or requiring a particular security protocol. Instead CMS is relying on Windows and the service provider to handle that handshake to determine which protocol can be used to establish a secure connection. To this end you'll want to be sure that:

A) You are using a supported Microsoft operating system on your workstations that run CMS 

Noting Windows XP and Server 2003 are no longer supported

B) You are connecting to a service provider/partner that is using/dictating protocols currently deemed secure by PCI. These would include the host or your website(s) and payment processor.

For example, Authorize.net, one of our payment partners, has recently made changes in their systems to address the use of secure versions of TLS. You can read more about this in our wiki article on Authorize.net Changes.

Retrieved from "http://wiki.newhavensoftware.com/index.php/SSL_and_TLS"
Personal tools