back to article E-commerce enterprises gently told to update those protocols ... or else

A revamp in payment card industry regulations due out later this month will penalise e-commerce enterprises that rely on outdated crypto protocols. The PCI Security Standards Council updated standard – PCI DSS 3.1 – mandates that businesses move away from SSL onto more modern TLS protocols. The council is introducing the …

  1. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Care to elighten us on what PFS is? Google is not helpful.

  2. frank ly

    Aha!

    "Small shops can pass the regulations through self-assessment,..."

    I've been using cash in small shops and petrol stations for years.

  3. WibbleMe

    In terms of SSL protocol if your were fully compliant then you may alienate some Android Phone users, and some using Apple web browsers and of courses very old IE browsers, this is a huge percentage of your market. So really for a real world website its a tough nugget.

    But don't forget that even if a web site is not compliant it may be using a 3'd party redirect that takes the user off to another website such as Realex/HSBC or PayPal so there is no card data stored on the "non" PCI/DSS compliant website.

    1. Martin Summers Silver badge

      Someone can still compromise your server and man in the middle the third party gateway page, or just take the victim somewhere completely different.

    2. Tom 13

      Re: you may alienate some

      Tough. Quite frankly, governments ought to issue edicts that all of their webpages and web apps meet these standards too. I'm tired of having to skip MS Critical Updates and having both SSL v2 and v3 enabled because some web application doesn't support the appropriate protocols. It's as bad as having the default admin password on an internet facing server set to 12345 or password.

      1. Anonymous Coward
        Joke

        Re: you may alienate some

        Crap how did you find out the Admin password to the internet?

    3. Justin Pasher

      Re: Older browsers

      By disabling SSLv3, you really don't cut off that many people (communication via older scripts could be a different story). PFS is recommended, but that's not what this is talking about.

      Works fine:

      ------------------------------

      Android 2.3.7 - Uses TLS 1.0

      IE7 on Vista - Uses TLS 1.0

      IE8 on WinXP - Uses TLS 1.0

      Safari 5 on OS X 10.6.8 0 - Uses TLS 1.0

      Safari 6 on iOS 6 - Uses TLS 1.2

      Does not work:

      ------------------------------

      IE6 on WinXP - Uses SSLv3

      I'm sorry, but if you are really that concerned about cutting off IE6 users on Windows XP, then you need to contact those people and tell them to get their act together. Either upgrade off an unsupported OS or switch to an alternate browser that was written in the past decade.

  4. Spaceman Spiff

    So what happens when?

    So, what happens when the government mandates backdoors and access to this data? Guess what? The criminals will be close behind! Here we go again!

    I am not saying that the credit card industry doesn't need to incorporate stronger security and encryption - it does. My wife was hacked when Target was pwnd. Fortunately, the card she used was an American Express card, and they are very good at detecting fraudulent activities - someone tried to purchase a computer in Freemont California (we live in Illinois) on her card, and they blocked it, informed the police, and the perpetrator was arrested, computer in hand! My concern is that the attitudes of our current FBI, DOJ, CIA, NSA, and other government officials are seriously undermining our efforts to be more secure. This has to stop!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon