Care to elighten us on what PFS is? Google is not helpful.
A revamp in payment card industry regulations due out later this month will penalise e-commerce enterprises that rely on outdated crypto protocols. The PCI Security Standards Council updated standard – PCI DSS 3.1 – mandates that businesses move away from SSL onto more modern TLS protocols. The council is introducing the …
This post has been deleted by its author
Tuesday 7th April 2015 12:09 GMT WibbleMe
In terms of SSL protocol if your were fully compliant then you may alienate some Android Phone users, and some using Apple web browsers and of courses very old IE browsers, this is a huge percentage of your market. So really for a real world website its a tough nugget.
But don't forget that even if a web site is not compliant it may be using a 3'd party redirect that takes the user off to another website such as Realex/HSBC or PayPal so there is no card data stored on the "non" PCI/DSS compliant website.
Tuesday 7th April 2015 12:49 GMT Tom 13
Re: you may alienate some
Tough. Quite frankly, governments ought to issue edicts that all of their webpages and web apps meet these standards too. I'm tired of having to skip MS Critical Updates and having both SSL v2 and v3 enabled because some web application doesn't support the appropriate protocols. It's as bad as having the default admin password on an internet facing server set to 12345 or password.
Tuesday 7th April 2015 14:54 GMT Justin Pasher
Re: Older browsers
By disabling SSLv3, you really don't cut off that many people (communication via older scripts could be a different story). PFS is recommended, but that's not what this is talking about.
Android 2.3.7 - Uses TLS 1.0
IE7 on Vista - Uses TLS 1.0
IE8 on WinXP - Uses TLS 1.0
Safari 5 on OS X 10.6.8 0 - Uses TLS 1.0
Safari 6 on iOS 6 - Uses TLS 1.2
Does not work:
IE6 on WinXP - Uses SSLv3
I'm sorry, but if you are really that concerned about cutting off IE6 users on Windows XP, then you need to contact those people and tell them to get their act together. Either upgrade off an unsupported OS or switch to an alternate browser that was written in the past decade.
Tuesday 7th April 2015 16:30 GMT Spaceman Spiff
So what happens when?
So, what happens when the government mandates backdoors and access to this data? Guess what? The criminals will be close behind! Here we go again!
I am not saying that the credit card industry doesn't need to incorporate stronger security and encryption - it does. My wife was hacked when Target was pwnd. Fortunately, the card she used was an American Express card, and they are very good at detecting fraudulent activities - someone tried to purchase a computer in Freemont California (we live in Illinois) on her card, and they blocked it, informed the police, and the perpetrator was arrested, computer in hand! My concern is that the attitudes of our current FBI, DOJ, CIA, NSA, and other government officials are seriously undermining our efforts to be more secure. This has to stop!