March 19, 2018
At Magento Commerce, we want to make it easy for our merchants to protect shopper data and maintain the trust of their customers. A key part of that trust is following the best practices required to be PCI compliant. Magento Commerce Cloud is PCI certified as a Level 1 Solution Provider to pave the way for you to obtain your store’s own PCI compliance. To that end, Magento Commerce is on top of security standards.
New PCI Requirements
You may have heard that one of the newer requirements for PCI compliance on your site is supporting the latest Transport Layer Security protocol, commonly referred to as TLS. TLS is a protocol for establishing a secure website connection, the latest version being TLS 1.2. Earlier versions of TLS, as well as SSL, no longer meet minimum security standards due to security vulnerabilities. To remain PCI compliant, all merchants and technology vendors will be required to provide TLS 1.2 connections while removing support for older security standards.
To prepare for this requirement, maintain the PCI compliance of the Magento Commerce Cloud platform, and to continue providing the highest level of security, we have updated our cloud infrastructure to support TLS 1.2. To ensure your store’s security, Magento Commerce Cloud will restrict connections only to TLS 1.2 or higher and will no longer accept inbound connections from visitors using earlier versions of TLS and SSL starting April 30th.
What It Means for Magento Commerce Merchants
This security update will automatically be provided to our merchants and no action will be needed to enable it. However, some older browsers do not support TLS 1.2 and visitors using these browsers will eventually need to upgrade in order to access your store. Some of the common commercial web browsers and versions that support TLS 1.2 by default are:
Google Chrome version 30 or later
Mozilla Firefox version 27 or later
Apple Safari (desktop) version 7 or later
Apple Safari (mobile) for iOS 5 or later
Microsoft Internet Explorer version 11 or later
For most merchants, the number of visitors using older browsers will be very small. However, to avoid potential dips in traffic, we suggest proactively encouraging your visitors to upgrade to a newer, compatible browser through a banner or other communication on your site shown to users on older browsers. This is a new industry standard and, as it becomes more widely adopted, many users will naturally update their browsers. However, this is a great opportunity to educate your visitors and remind them of your own dedication to their security.
Learn more about Magento Commerce’s efforts around PCI Compliance here
Learn more about The PCI Security Standards Council’s plans for TLS support here
If you are in the process of obtaining PCI Compliance for your store, your Customer Success Manager can supply you with Magento’s Attestation of Compliance.