On June 30 2018, the aging encryption protocol, TLS 1.0, will finally be put out to pasture by the Payment Card Industry (PCI). In order to remain PCI-compliant, merchants and service providers must adopt a more current version, with TLS 1.2 strongly recommended.
This is hardly a surprise to most of the Internet. TLS 1.0 dates back to 1990 and was an early attempt to encrypt connections between systems. Nearly 30 years later, numerous known vulnerabilities and exploits make its antiquated encryption unsuitable for protecting cardholder data and other sensitive information.
What’s PCI compliance and why should I care?
A “PCI-compliant” merchant or provider is one that meets all requirements for protecting customer credit card data as established by the Payment Card Industry. These requirements are collectively known as Payment Card Industry Data Security Standards (PCI DSS). At Nexcess, we use external assessors to verify the compliance of our systems and processes with the security requirements set by the PCI Council.
Any merchants or service providers who store, process, or transmit cardholder data must comply with the PCI DSS. To maintain your compliance as a merchant and our compliance as a hosting provider, TLS 1.0 must be no longer be used.
I’m an online merchant and Nexcess hosts my website. Should I panic?
No. Our servers are fully compatible with TLS 1.2. When we disable TLS 1.0 ciphers, it will only affect your customers using exceptionally old browsers, operating systems, or other software to access your site. This is an unlikely scenario because the Internet has already become almost unusable for many of those same systems.
Will my device still be able to access the Internet? What operating systems and software are affected by this change?
We’ve already disabled TLS 1.0 on the server hosting this blog. If you’re reading this, your software supports version 1.2.
In theory, the retirement of version 1.0 could affect your web browsing, email, and accepting payments through third parties like PayPal. However, as noted above, software that relies on TLS 1.0 has already fallen by the wayside for most internet-savvy users. .
Below is a partial list of software (using default settings) that will continue to function on servers that require TLS 1.1+. Keep in mind only some TLS 1.1 ciphers meet modern security standards, and both we and the PCI recommend using software compatible with version 1.2.
- Operating systems:
- Windows 8+
- Windows Server 2016+
- MacOS x 10.8+
- Android 5.0+
- FTP clients:
- WinSCP 4.3.8+
- FileZilla 3.0.4+
- Cyberduck 4.4.3+
- Transmit 4.0+
- Email clients:
- Microsoft Outlook 2010+
- Apple Mail 10.0+
- Mozilla Thunderbird 43+
- Web browsers:
- Mozilla Firefox 27+
- Google Chrome 38+
- Microsoft Internet Explorer 11+
- Microsoft Edge (all versions)
- Apple Safari 7+
- Opera 12.18+