PCI-DSS SSL/TLS compliance – SSL-TLS-1.0/1.1/1.2/1.3
For almost two decades, the Secure Sockets Layer (SSL) protocol, and its successor, Transport Layer Security (TLS), have been essential components in website and information security.
For sites that have to be compliant with PCI DSS (Payment Card Industry Data Security Standard), such as online shops which accept payment, or any transaction where card data process, the PCI Security Standards Council has set following standards for SSL/TLS compliance:
| TLS 1.3 | Compliance |
| TLS 1.2 | Compliance & strongly encouraged |
| TLS 1.1 | Compliance but TLS v1.2 is strongly encouraged |
| SSL (All version) TLS 1.0 |
Non compliance & must be disabled. Deadline – 30 June 2018 |
Things you should know about – TLS 1.3
As of March 21, 2018, TLS 1.3 has arrived as the new standard in encryption protocol for websites. Compared to TLS 1.2, TLS 1.3 offers improved speed. The faster speed for encrypted connections stems from features such as Zero Round Trip Time (0-RTT) and TLS false start.
In the past, TLS 1.2 required two round-trips to finish a TLS handshake. In contrast, TLS 1.3 only needs to complete one round-trip. This reduces encryption latency by one-half. With this feature, users will be able to browse websites faster and with greater security.
TLS 1.3 has removed the deprecated features like including SHA-1, RC4, DES and AES-CBC etc that were vulnerable to attacks like RC4, POODLE, Heartbleed, ROBOT and BEAST exploits etc
TLS 1.3 has discontinued the following ciphers and algorithms:
- RC4 Steam Cipher
- RSA Key Transport
- SHA-1 Hash Function
- CBC Mode Ciphers
- MD5 Algorithm
- Various Diffie-Hellman groups
- EXPORT-strength ciphers
- DES
- 3DES