SSL compliancy companies often need to know the Risk Mitigation and Migration Plan for Payment Card Industry Data Security Standard (PCI DSS) 3.1 Requirements.
Where are SSL/TLS 1.0 currently used in your environment? SSL is used throughout the environment. TLS 1.0 is enabled, but only to catch old browsers and notify them that they cannot connect to our servers unless they support TLS 1.1 or later. This covers all user activity to our application including logins and all activity behind the password.
The only place that we allow the less 1.0 is connecting to our API. We are working on migrating several partners away from TLS 1.0 and expect them all to be migrated by June 2017. Once the migration is complete we will prevent TLS 1.0 connections.
How are you mitigating risks with SSL/TLS 1.0? By not allowing customers to use our application with browsers that do not support TLS 1.1 or greater we are preventing the vast majority of SSL/TLS activity from using TLS 1.0. We do this by detecting the TLS protocol in use on every connection from outside our environment. If TLS 1.0 is detected, we display a TLS 1.0 warning page at the URL https://example.myschoolapp.com/unsupportedTLS.html This page explains why they cannot connect and how to fix it.
How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0? We subscribe to several security bulletins and we have a security team within our corporate structure that monitors and notifies of such things should they arise.
How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data environment? By preventing TLS 1.0 connections to our application everywhere except for our API. We also do not store cardholder data nor do we accept credit cards directly.
When will your migration plan from SSL/TLS1.0 be completed? We expect TLS 1.0 to be blocked (with a warning) by June 2017. We will completely remove TLS 1.0 before the June 2018 deadline.