in Uncategorized

PCI Security Scans, SSL, and Your Customers

As discussed in this recent post there have been a passel of painful SSL problems in the past year. Everything from bugs deep in the core of the most common SSL code on the net, to fundamental problems with older versions of the SSL protocol which can’t be fixed by new code.

This last category of problems means that for an SSL site to be considered truly safe one must disable several older versions of the SSL/TLS protocols.  The degree of exposure you or your customer might be subject to is debatable, but it doesn’t pay to take chances in this area.  In fact, in order to pass a PCI scan, which credit card processing companies now require of their merchants, one must disable these older protocols.

Sadly this means some users with older browsers will not be able to make a connection to your secure site.  You, the merchant, are really stuck in the middle.  You can’t enable those users to access your site without putting all of your users at risk.  On the positive side, the fix is easy for most users: upgrade their browser to the current version.

Here are the minimum browser versions required to be able to connect to a secure web site which has disabled the old, unsafe protocols:

  • Internet Explorer 11 (Windows 7) [newer protocols can be enabled in IE9 and IE10 but are disabled by default]
  • Safari 7 (OS X 10.9, IOS 7)
  • Chrome 40 (Desktop and Mobile)
  • Android 4.4.3 (can be enabled in earlier versions back to 4.2)
  • FireFox 34
  • Opera 27

If you have an SSL web site, and users have trouble connecting with older browsers, check to see what version they are running and suggest an update.  There are many security bugs that have been fixed in all of these browsers in the past few years, so they will be much safer in many ways if they can update.

If you have any questions, please contact us via email to help at swcp dot com