Risk Mitigation and Migration Plan
Payment Card Industry Data Security Standard (PCI DSS) 3.1
PCI SSC has released version 3.1 of the PCI DSS requirements. A key part of these new requirements mandates that SSL (Secure Socket Layers) and early versions of TLS (Transport Layer Security) no longer be used for web servers, Point of Sale devices and other network communications that require “strong cryptography.”
Due to the number of web browsers not fully supporting TLSv1.0 and the number of web users who are using these browsers on our website, we will delay our full migration to TLSv1.1/1.2 to as late as March 31, 2018.
Our schedule for migration is as follows:
- 09/25/2016 – Ginger (5) – Complete
- 06/30/2017 – MaryAnn (3)
- 08/31/2017 – Professor (4)
- 10/31/2017 – Howells (1)
- 01/31/2018 – Skipper (L1)
- 03/31/2018 – Gilligan (Development)
Existing development sites will be updated with their production server date.
* The Gilligan Island character names were assigned for ease of referrence.
The schedule was extended with the PCI3.1 compliance deadline in 2016.
Some websites may provide a warning to web visitors so they know why they will be unable to connect to the secured website if they use an unsupported browser. This warning will be available on non-secured pages after the migration as well.
We have specified a cipher order preference to ensure that browsers/connections that support more secure protocols are required to use them.
We monitor the National Vulnerability Database (https://nvd.nist.gov) for any new CVE’s associated with SSL/TLS 1.0, and work with several independent 3rd party PCI services to verify that our systems are up-to-date and secure.
TLS 1.0 will be disabled on our front end websites well before the deadline of June 30, 2018, with our present plan to do so before March 31, 2016. Website visitors who have not upgraded their web browsers will no longer be able to access encrypted web pages and services on our systems.
Cazarin Interactive – Maple Grove, Minnesota, USA