PCI DSS 3.1 is the latest version released as a guideline to maintain payment security for merchants where cardholder’s data are stored, processed or transmitted. In it, PCI SSC introduced a new change to the SSL/TLS security compliance where all SSL certificates that are SSL 1.0, 2.0, 3.0, TLS 1.0 enabled needs to be migrated and updated to TLS 1.1 and above by 30th June 2016.
Previously, in order to comply with the latest PCI DSS (Payment Card Industry Data Security Standard), you’ll need to install an SSL certificate in your server, as long as it uses a minimum 2048-bit encryption with a SHA-2 algorithm. However, that is about to change come 30th June 2016, when SSL and early TLS will not be considered strong cryptography and cannot be used as a security control.
This change by PCI DSS was made to meet the standards in the encryption industry where SSL and early TLS protocols are widely acknowledged as vulnerable in its connection endpoints. This includes attacks such as POODLE, BREACH, and HEARTBLEED.
Configuring Your SSL Certificate
By now, you should know that an SSL certificate from any Certificate Authorities (CAs) have a lifespan of anywhere between 1 to 3 years. Not utilizing to its full lifecycle will be a waste of the existing resources and money. To comply with PCI DSS latest update, all you need to do is to configure the SSL settings in your server to disable SSL 2.0, SSL 3.0 and enable the latest protocol TLS 1.2 – it’s as simple as that.
Below are the instructions for some of the common server platforms to get you started:
- Apache Cpanel & WHM Instructions
- Microsoft IIS Instructions
- Microsoft Exchange Instructions
- Tomcat Instructions
Inspect SSL Endpoints with Certificate Tools
To know if the latest protocol is enabled, you can leverage on one of the industry’s best-used tools to discover, inspect and analyze your certificate.
The DigiCert Certificate Inspector Tool
The Certificate Inspector Tool from DigiCert is a free-to-use application that inspects all certificates in a server and analyze all endpoint vulnerabilities. What’s great about this application is its nicely built user interface (UI) with easy to use reporting feature. The Inspector Tool provides a letter grade and diagnoses issues related to your SSL certificate (including if SSL 2.0, 3.0 and early TLS is enabled) and its endpoints, guiding you towards optimizing the security for a secure connection.
Get More with DigiCert
DigiCert is at the forefront in SSL/TLS technologies and as a customer with DigiCert, you’ll receive updates on vulnerabilities and new technologies released, making it easier for you to monitor and update your SSL/TLS certificate to comply with PCI DSS audit.