Forum Homepage
Forum Home Forum Home > RomanCart > Suggestions and Improvements
  New Posts New Posts
  FAQ FAQ  Forum Search   Register Register  Login Login

TLSv1 enable past 2018

 Post Reply Post Reply
henrycart View Drop Down

Joined: 21 September 2013
Status: Offline
Points: 23
Post Options Post Options   Thanks (0) Thanks(0)   Quote henrycart Quote  Post ReplyReply Direct Link To This Post Topic: TLSv1 enable past 2018
    Posted: 12 April 2019 at 1:53pm
As far as I know for e-commerce sites to be PCI compliant then TLSv1 should be disabled by June 2018. I assume this relates to the area of sites for customer details & checkout/payment section.

When I checked the romancart checkout was still using a shared cloudflare SSL certificate which is shared with other sites, rather than it's own dedicated SSL certifcate. I did mention this a while back, but was happy with the replies at the time. However, I have now become aware of the requirement to disable TLSv1 and the deadline of June 2018 has passed. On further reading TLSv1 cannot be disabled on a shared cloudflare certifcate or free plan.

Can romancart upgrade their SSL or Cloudflare plain to dissable TLSv1 and become PCI compliant, or have I got it completely wrong from googling too much and not really understanding things?

Test Results with TLSv1 comment at bottom of page
Back to Top
Support View Drop Down
RomanCart Team
RomanCart Team

Joined: 16 March 2004
Location: United Kingdom
Status: Offline
Points: 10794
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 12 April 2019 at 4:39pm
Firstly a technicality - PCI is for systems processing card details.
RomanCart does not come into contact with any card details (no matter what it might look like). They are dealt with by the payment gateway that you are using with RomanCart on their own systems which must be PCI certified. RomanCart is 'Out of Scope' of PCI.

Cloudflare offers all levels of TLS so it will always support the highest levels of encryption.

I wouldn't advise enforcing a high level of TLS unless you have to as a lot of browsers won't work. Whilst that's ok for the payment pages you really don't want your actual website to be inaccessible.

Many Thanks
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

This page was generated in 0.063 seconds.