With widespread and disastrous SSL/TLS vulnerabilities taking place such as POODLE and FREAK, SSL and early TLS versions are no longer considered strong cryptography and any web site that still uses them is insecure.
For PCI Clients:
According to the new rules in PCI DSS v3.1, companies have until June 30, 2016 to update to a more recent version of TLS (1.2). Prior to this date, existing implementations using SSL or an early TLS must have a formal risk mitigation and migration plan in place.
The PCI DSS v3.1 requirements directly affected are:
- Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons considered insecure.
- Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
- Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
For Non-PCI clients, this will add extra security measures for your environments and affect connecting to any ZZ Servers Services.
ZZ Servers will be disabling SSLv3, TLS 1.0, TLS1.1 and all related weak ciphers for these protocols January 8, 2016 for all ZZ Servers services. Please update and test your application(s) and services as needed. Please contact your Account Manager as soon as possible if you require assistance with this change.