SSL and TLS - Revision history

Russ horton at 22:36, 13 April 2016

2016-04-13T22:36:15Z

← Older revision		Revision as of 22:36, 13 April 2016
Line 1:		Line 1:
	Much ~~has been~~ made in ~~recent years~~ about the vulnerabilities of [http://info.ssl.com/article.aspx?id=10241 SSL] and early versions of [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] as a secure means of establishing a connection between a web server and a browser. The greatest area of concern on this front for our clients has been the related impact and requirements for PCI compliance, particularly the 2016 deadline which was subsequently moved to [http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls June 2018].		Much was made in 2015 about the vulnerabilities of [http://info.ssl.com/article.aspx?id=10241 SSL] and early versions of [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] as a secure means of establishing a connection between a web server and a browser. The greatest area of concern on this front for our clients has been the related impact and requirements for PCI compliance, particularly the 2016 deadline which was subsequently moved to [http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls June 2018].

	Thankfully, as far as CMS is concerned, there isn't much to worry about since CMS does not use your browser. CMS TEN (10.0.x) has been validated as compliant against the PA-DSS 3.0 standard which ensured the CMS was not requiring the use of insecure protocols and is compatible with the use of secure protocols. You can find CMS on the PCI Council's site in their list of [https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agree=true validated payment applications]. (search ~~on application name~~ CMS - Commerce Management System)		Thankfully, as far as CMS is concerned, there isn't much to worry about since CMS does not use your browser. CMS TEN (10.0.x) has also been validated as compliant against the PA-DSS 3.0 standard which ensured the CMS was not requiring the use of insecure protocols and is compatible with the use of secure protocols. You can find CMS on the PCI Council's site in their list of [https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agree=true validated payment applications]. (TIP - search by Application Name for 'CMS - Commerce Management System')

	While CMS does enforce/require secure connections be made when credit card data may be passed, CMS is not specifying or requiring a particular security protocol. Instead CMS is relying on Windows and the service provider to handle that handshake to determine which protocol can be used to establish a secure connection. To this end you'll want to be sure that:		While CMS does enforce/require secure connections be made when credit card data may be passed, CMS is not specifying or requiring a particular security protocol. Instead CMS is relying on Windows and the service provider to handle that handshake to determine which protocol can be used to establish a secure connection. To this end you'll want to be sure that:
Line 8:		Line 8:
	Noting Windows XP and Server 2003 are no longer supported		Noting Windows XP and Server 2003 are no longer supported

	B) You are connecting to a service provider/partner that is using/dictating protocols currently deemed secure by PCI.		B) You are connecting to a service provider/partner that is using/dictating protocols currently deemed secure by PCI. These would include the host or your website(s) and payment processor.

	For example, Authorize.net, one of our payment partners, has recently made changes in their systems to address the use of secure versions of TLS. You can read more about this in our wiki article on [[Authorize.net Changes]].		For example, Authorize.net, one of our payment partners, has recently made changes in their systems to address the use of secure versions of TLS. You can read more about this in our wiki article on [[Authorize.net Changes]].

Russ horton at 22:14, 13 April 2016

2016-04-13T22:14:08Z

← Older revision		Revision as of 22:14, 13 April 2016
Line 10:		Line 10:
	B) You are connecting to a service provider/partner that is using/dictating protocols currently deemed secure by PCI.		B) You are connecting to a service provider/partner that is using/dictating protocols currently deemed secure by PCI.

	For example, Authorize.net, one of our payment partners, has recently made changes in their systems to address the use of secure versions of TLS. You can read more about this in our article on [[Authorize.net ~~changes~~]].		For example, Authorize.net, one of our payment partners, has recently made changes in their systems to address the use of secure versions of TLS. You can read more about this in our wiki article on [[Authorize.net Changes]].

Russ horton: Created page with 'Much has been made in recent years about the vulnerabilities of [http://info.ssl.com/article.aspx?id=10241 SSL] and early versions of [https://en.wikipedia.org/wiki/Transport_Lay…'

2016-04-13T19:29:13Z

Created page with 'Much has been made in recent years about the vulnerabilities of [http://info.ssl.com/article.aspx?id=10241 SSL] and early versions of [https://en.wikipedia.org/wiki/Transport_Lay…'

New page

Much has been made in recent years about the vulnerabilities of [http://info.ssl.com/article.aspx?id=10241 SSL] and early versions of [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] as a secure means of establishing a connection between a web server and a browser. The greatest area of concern on this front for our clients has been the related impact and requirements for PCI compliance, particularly the 2016 deadline which was subsequently moved to [http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls June 2018].

Thankfully, as far as CMS is concerned, there isn't much to worry about since CMS does not use your browser. CMS TEN (10.0.x) has been validated as compliant against the PA-DSS 3.0 standard which ensured the CMS was not requiring the use of insecure protocols and is compatible with the use of secure protocols. You can find CMS on the PCI Council's site in their list of [https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agree=true validated payment applications]. (search on application name CMS - Commerce Management System)

While CMS does enforce/require secure connections be made when credit card data may be passed, CMS is not specifying or requiring a particular security protocol. Instead CMS is relying on Windows and the service provider to handle that handshake to determine which protocol can be used to establish a secure connection. To this end you'll want to be sure that:

A) You are using a supported Microsoft operating system on your workstations that run CMS
Noting Windows XP and Server 2003 are no longer supported

B) You are connecting to a service provider/partner that is using/dictating protocols currently deemed secure by PCI.

For example, Authorize.net, one of our payment partners, has recently made changes in their systems to address the use of secure versions of TLS. You can read more about this in our article on [[Authorize.net changes]].