Overview
The PCI Security Standards Council was founded in 2006 by major credit card providers including American Express, Discover, JCB International, MasterCard, and Visa. This organization prepares and promotes standards for the security of cardholder data. All of the member credit card brands share equally in the governance and execution of the council’s work.
A change happened on June 30, 2018
PCI DSS set a deadline of June 30, 2018 for deprecating SSL/old TLS on e-Commerce website and payment gateways as an acceptable standard for the encryption of credit card transaction data. Now, PCI DSS standards accept only TLS 1.2 for e-Commerce site and payment gateways transaction processing.
Why deprecate SSL/old TLS?
There are a number of reasons why we should stop using older SSL protocols, but the most important are:
What should you do?
Prepare a Risk Mitigation and Migration Plan - We recommend that you review the official PCI Security Standards Council document on this topic, called Guidance for Migrating from SSL and Early SSL.Then take the following steps, depending on what programming technology your web site uses.
Java
Are you running Java applications(Tomcat, JBoss, Wildfly, etc)? - To meet the latest PCI DSS standards for your Java application you must use JDK 1.8 or later. This will use TLS 1.2 as default and you don’t have to make custom changes in the JDK installation. TLS 1.2 first appeared in JDK 7, however, it comes disabled by default and you have to perform a series of changes for this to become enabled.
TLS is backwards-compatible. After upgrading the default to 1.2, systems using 1.1 and 1.0 will continue to function, so if any of your processing requires 1.0 and 1.1, it will remain available. Nevertheless, it’s recommended that your developers upgrade your code to run on TLS 1.2 only.
If you would like to know more about JDK 1.8 and TLS 1.2 read this official article.
How to upgrade to JDK 1.8 on server with ISPmanager 5
How to upgrade to JDK 1.8 on server with ISPmanager 4
Please make sure to involve your developers before applying these changes since coding adjustments might be needed in case your application doesn’t support JDK 1.8 since some functionalities or java classes might be updated.
PHP and other technologies that run on Apache
Are you running a regular Apache, Database website (Wordpress, Joomla, Drupal, HTML5/CSS/Jquery/JavaScript)?
In order for you to meet current PCI DSS standards you must run on OpenSSL 1.0.2 and Curl 7.34 or later. However, we recommend that you use Curl 7.58, which will use TLS 1.2 as default. TLS 1.2 first appeared in OpenSSL 1.0.0h and 1.0.1 and Curl 7.18 However, it comes disabled by default and you have to perform a series of changes to become enabled.
TLS is backwards-compatible. After upgrading the default to 1.2, systems using 1.1 and 1.0 will continue to function, so if any of your processing requires 1.0 and 1.1, it will remain available. Nevertheless, it’s recommended that your developers upgrade your code to run on TLS 1.2 only.
How to upgrade to OpenSSL 1.02 and Curl 7.58 on servers with ISPmanager 4 or 5
1. Login to ISPmanager > Go to Tools > Shell-client (You can connect via SSH instead)
Make sure you upgrade the SSL Cipher Suite once you perform all the upgrade to something similar to this:
SSLProtocol -SSLv2 -SSLv3 -TLSv1 +TLSv1.2 +TLSv1.1
SSLCipherSuite EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4
Keep in mind we also have a service called “Security Optimization for Apache Web Server” and we can help you to get an A+ on your SSL cipher and security.
If you’re running CentOS 5, please contact support@eapps.com since your server is already EOL and needs to be migrated to a newest CentOS 7 64bit
If you are not sure how to do this, please contact eApps Support - support@eapps.com
Official PCI DSS documentation
