TLS compatibility with PCI DSS (Payment Card Industry Data Security Standard)

Reading Time: 3 minutes

Offering your site via HTTPS and not just using unencrypted HTTP is not an optional feature these days, but is a standard and best practice. HTTPS offers many advantages. And is mandatory for PCI DSS compliance.It increases user confidence in a site, positively influences the ranking in search engine indices and enables the use of modern technologies such as HTTP/2. Sites accessed via HTTP will soon even be marked as unsafe in the Google Chrome Browser.

Activating HTTPS has so far been a high challenge for many Internet site operators. In times of Let’s Encrypt the setup is getting easier and easier. For customers of wao.io, the activation of HTTPS is done in a few clicks.

When a user accesses a site using HTTPS, the communication is encrypted. The encryption protocol that is used is TLS. If the connection is established and the browser can confirm the authenticity of the site, the user sees a green padlock in the address line of the browser.

The first version of TLS was standardized in 1999 as the successor to SSL v2 and SSL v3. Since then, however, the web and also the encryption technologies have passed some stages of development. The ever-increasing computing power of modern computers makes it possible to attack encrypted communication, which was unthinkable at the time when the first encryption protocols were standardized. In order to keep up with this, TLS has been continuously developed and expanded with new functions. The current version of the TLS protocol is TLS 1.2, version 1.3 is available as final draft for standardization. The more modern versions of TLS not only brought new features but also fixed vulnerabilities and bugs. So it is definitely recommended to use more modern and thus more secure versions of TLS for HTTPS communication.

Support of TLS 1.2 and TLS 1.3

However, the problem is that older browsers do not support TLS 1.2 and TLS 1.3 and cannot access a site that is only accessible through them. According to caniuse.com, the percentage of users with incompatible browsers is currently around 2%.

Transport Layer Security protocol (TLS) 1.2 in use for PCI DSS

This makes the decision is a balancing act between security and required compatibility with older browsers.

PCI DSS Compliance for eCommerce

For sites that have to be compliant with PCI DSS (Payment Card Industry Data Security Standard), such as online shops with their own payment process, the PCI Security Standards Council has made the decision for the operators.

Since June 30, 2018, sites must disable TLS 1 to be compliant with the current version of the PCI DSS policy.

This tough challenge confronted us as an edge platform with the question of how we deal with it. Security is very important to us and we are proud to offer HTTPS for all sites with just a few clicks. On the other hand, we also host many sites without high-security requirements. For them, compatibility with as many browsers as possible is the most important requirement.

Compatibility with wao.io

Therefore, we decided to meet both demands. Our solution is to offer two differently configured entry points into our platform wao.io. The first one offers the highest possible compatibility, even with very old browsers. TLS is used in all versions and a broad cipher list is available for connection establishment. The second only allows connections via TLS 1.2 and very modern ciphers. This ensures that communication is as secure as possible.

This allows customers of wao.io to decide for themselves which option is the right choice for them based on the requirements of their site. The selected option can be configured via different DNS settings. For more information, please visit our knowledgebase.

How secure are users of your site? With www.ssllabs.com  you can check if the encryption offered by your site meets the current requirements.

Do you have problems with the setup and optimization of your HTTPS stack? Then add wao.io in front of your site and benefit from our optimized HTTPS setup, no matter if you rely on the highest possible browser compatibility or on the most modern encryption technologies.

Leave a Comment

Your email address will not be published.