TLSv1 enable past 2018
Printed From: RomanCart.com Forum
Category: RomanCart
Forum Name: Suggestions and Improvements
Forum Description: If you think RomanCart needs to do something extra say it here!
URL: http://forums.romancart.com/forum_posts.asp?TID=13700
Printed Date: 05 December 2023 at 3:41pm
Topic: TLSv1 enable past 2018
Posted By: henrycart
Subject: TLSv1 enable past 2018
Date Posted: 12 April 2019 at 1:53pm
As far as I know for e-commerce sites to be PCI compliant then TLSv1 should be disabled by June 2018. I assume this relates to the area of sites for customer details & checkout/payment section.
When I checked the romancart checkout was still using a shared cloudflare SSL certificate which is shared with other sites, rather than it's own dedicated SSL certifcate. I did mention this a while back, but was happy with the replies at the time. However, I have now become aware of the requirement to disable TLSv1 and the deadline of June 2018 has passed. On further reading TLSv1 cannot be disabled on a shared cloudflare certifcate or free plan.
Can romancart upgrade their SSL or Cloudflare plain to dissable TLSv1 and become PCI compliant, or have I got it completely wrong from googling too much and not really understanding things?
https://www.whynopadlock.com/results/74ec7e1c-eca9-4893-aa5e-0c0ceec2bebf" rel="nofollow - Test Results with TLSv1 comment at bottom of page
|
Replies:
Posted By: Support
Date Posted: 12 April 2019 at 4:39pm
Hi,
Firstly a technicality - PCI is for systems processing card details.
RomanCart does not come into contact with any card details (no matter what it might look like). They are dealt with by the payment gateway that you are using with RomanCart on their own systems which must be PCI certified. RomanCart is 'Out of Scope' of PCI.
Cloudflare offers all levels of TLS so it will always support the highest levels of encryption.
I wouldn't advise enforcing a high level of TLS unless you have to as a lot of browsers won't work. Whilst that's ok for the payment pages you really don't want your actual website to be inaccessible.
Many Thanks
Support
|
|