In April 2015, the PCI Security Standards Council released the requirements for PCI DSS 3.1, which defines the security requirements and controls for secure websites, including what protocols are acceptable for secure communications. In this specification, TLS 1.0 must be disabled by June 30, 2018. This date was extended from the original deadline of June 30, 2016. While all modern browsers and platforms support TLS 1.2 and no longer require or initiate connections over TLS 1.0, there are still some organizations making connections to Slate, typically for web services, using the outdated and insecure TLS 1.0 protocol.
Beginning in 2015, we announced the forthcoming disablement of TLS 1.0, and since 2015, we have provided warnings to all users connecting via TLS 1.0, encouraging these users to upgrade their browser or platform in advance of discontinuing support for this protocol.
Access to payment pages via TLS 1.0 has already been disabled for years, and users attempting to connect to payment pages via TLS 1.0 are redirected to a browser upgrade page to prevent the transmission of cardholder data over an insecure protocol.
Plan
- On April 15, 2018, we will begin disabling support for TLS 1.0 and TLS 1.1. We are including TLS 1.1 in this disablement plan, as data indicates that there is little to no access via TLS 1.1. Nearly every modern browser and platform implemented TLS 1.2 at the same time as TLS 1.1, so it's not a protocol observed in the wild with any frequency.
- Requests over TLS 1.0 and TLS 1.1 to web service imports and exports, as well to certain non-interactive methods, are being logged and are available for an institution to review in the Standard Query Library report, "TLS 1.0 and TLS 1.1 Service Log". This report will display the 500 most recent TLS 1.0 and TLS 1.1 connections, from the past 30 days, initiated to typical service endpoints for a production database and its corresponding test environment.
- On April 15, 2018, support for TLS 1.0 and TLS 1.1 will be disabled in all test environments. On June 1, 2018, support for TLS 1.0 and TLS 1.1 will be disabled in all production environments.
Testing
If you would like to test a connection to Slate to ensure that your client library supports connections over TLS 1.2, you may attempt a connection to https://cluster.ca-central-1.technolutions.net/tls, which, if successfully, will return "OK". If the client library does not support TLS 1.2, a connection will not be able to be established.
Timeline
| Date | Item |
|---|---|
| 2015 | PCI DSS 3.1 published, requiring that TLS 1.0 be disabled on June 30, 2016 |
| 2015 | Deadline extended to June 30, 2018 |
| 2015 | Browser warning added for users accessing via TLS 1.0 |
| 2015 | Access to payment pages disabled for interactive users accessing via TLS 1.0 |
| 2015 | Notice of TLS 1.0 disablement in 2018 published |
| 2015 through 2018 | Many organizations upgrade legacy applications |
| 2018 March 1 | Fewer than 15% of organizations make connections to Slate over TLS 1.0 |
| 2018 March 5 | Email notice sent to all Slate Captains |
| 2018 April 15 | TLS 1.0 and TLS 1.1 will be disabled in all test environments |
| 2018 June 1 | TLS 1.0 and TLS 1.1 will be disabled in all production environments |