Important PCI Changes!

PCI v3.2 Migrating SSL/Early TLS June 30 Deadline

 

 

SSL/early TLS are no longer considered secure forms of encryption for payment card data!

PCI DSS v3.1 published in April 2015 included a June 2016 deadline for disabling SSL/early TLS and implementing a secure encryption protocol. Based on industry feedback, in December 2015 PCI SSC revised the deadline from 30 June 2016 to 30 June 2018. This date is included in Appendix A2 of PCI DSS v3.2, published in April 2016.

The IGA has its networks upgraded to TLS protocols supporting 1.0,1.1 and 1.2. We have ceased support for SSL v2 and SSL v3, we are going to terminate support for TLS 1.0 soon! Please make sure you have upgraded to the latest browser version and disabled SSL and TLS 1.0. Your information is at risk whenever you are using SSL and TLS 1.o!

What is the risk?

Because of its widespread use online, SSL/early TLS has been targeted by security researchers and attackers. Many serious vulnerabilities in SSL/early TLS (e.g. POODLE, BEAST, CRIME, Heartbleed) have been uncovered over the past 20 years, making it an unsafe method for protecting sensitive data.

Online and e-commerce environments using SSL/ early TLS are most susceptible to these vulnerabilities and should be upgraded immediately. E-commerce merchants are also encouraged to implement a customer communication strategy to educate their customers about the dangers of using outdated browser software and the risk this poses to customer data.

What Can I Do As A Merchant?

Start using TLS 1.1 or 1.2 now! Some versions of Windows Server (including Windows Server 2008 using IIS 7) allow SSL 2.0 and SSL 3.0 by default. Unfortunately, these are insecure protocols and you will fail a PCI Compliance scan if you don't disable them. To properly secure your server and ensure that you pass your PCI-DSS scans, you will need to disable SSL 2.0, SSL 3.0 and disable weak ciphers. Other algorithms are also insecure and current ones may be deprecated in the future. Make sure to follow SSL Deployment Best Practices when determining which protocols and ciphers to enable.

If You Are Using Window Server, You Probably Has SSL Enabled. Follow The Steps Below To Disable Them.



Using A GUI

The simplest way to disable insecure protocols and ciphers is to use a GUI. Because Windows doesn't provide such an interface, you'll need to use a tool like Nartac's IIS Crypto tool to disable the insecure options.

Manually Disable SSL 2.0 and SSL 3.0

In order to manually disable SSL 2.0 and SSL 3.0 and make sure that the stronger TLS protocols are used, follow these instructions:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key/folder:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
  4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
  5. Enter Enabled as the name and hit Enter.
  6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
  7. Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.
  8. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
  9. Enter Enabled as the name and hit Enter.
  10. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
  11. Restart the computer.
  12. Verify that no SSL 2.0 or SSL 3.0 ciphers are available at http://ssl-checker.online-domain-tools.com/

Note: This process is essentially the same on an IIS 6 (Windows Server 2003) machine. Normally, the Server key under SSL 2.0 will already be created so you will just need to create a new DWORD value under it and name it Enabled.

For more information, read Microsoft's Knowledge base article on how to disable SSL 2.0 and other protocols in IIS 7.



Disable Weak Ciphers In IIS 7.0

In addition to disabling SSL 2.0, you can disable some weak ciphers by editing the registry in the same way. To speed up the process, you can paste the following in to a text file and name it disableWeakCiphers.reg, then double-click it.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001


Too Complicated? Let Us Help You Or Start Using IGA Hosting! IGA Managed Hosting Includes Basic PCI Compliance With The Option Of TLS Protocol. Needing More Security? IGA PCI DSS Server Offers You A Dedicated Sever Under PCI DSS Level 1 Security Standard!

What Can I Do As A Customer?

There's not much you can do if your favour store isn't supporting TLS 1.1 and 1.2, BUT you can protect yourself against websites that are not using TLS 1.1 and 1.2.

CHANGE YOUR BROWSER DEFAULT! For many browsers, you can set whether to enable SSL and TLS 1.0 or disable it. It is suggested to disable them as it will not allow connection using SSL or TLS 1.0, which means you won't be able to use websites that runs on SSL and TLS 1.0 but it certainly protects you from it. IGA Websites including MonsterBuster.Club has terminated support to SSL v2 and SSL v3. This protects you and your passwords from hackers.

So how to change it?

Internet Explorer
  1. Open Internet Explorer
  2. Click Tools
  3. Click Internet Options
  4. Click the Advanced tab
  5. Uncheck the options for Use SSL 2.0 and Use SSL 3.0. If possible, do the same for TLS 1.0.
  6. Click OK
  7. Exit and relaunch the browser


Chrome
  1. Open Google Chrome
  2. Click the Chrome menu button.
    Note: The button is in the upper right of the browser and is indicated by three horizontal lines.
  3. Click Settings
  4. Click Show advanced settings
  5. Click Change proxy settings under the Network section
  6. Click the Advanced tab
  7. Uncheck the options for Use SSL 2.0 and Use SSL 3.0. If possible, do the same for TLS 1.0.
  8. Close the Settings tab
  9. Exit and relaunch the browser


Firefox (Window)
  1. Open Mozilla Firefox
  2. Click the Firefox menu
  3. Click Options
  4. Click the Advanced icon
  5. Click the Encryption tab
  6. Uncheck the options for Use SSL 2.0 and Use SSL 3.0. If possible, do the same for TLS 1.0.
  7. Click OK
  8. Exit and relaunch the browser


Firefox (macOS)
  1. Open Mozilla Firefox
  2. Click the Firefox menu
  3. Click Preferences
  4. Click the Advanced icon
  5. Click the Encryption tab
  6. Uncheck the options for Use SSL 2.0 and Use SSL 3.0. If possible, do the same for TLS 1.0.
  7. Close the Preferences window
  8. Exit and relaunch the browser

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.