Since June of 2015 Trustwave and others have begun failing e-commerce sites that previously had been passing their monthly PCI security audits. Apparently it’s no longer ok to let people access your site who are running IE 10 and older, Android 4.3 and older, OS X 10.8.4 and older, or a long list of others. While this software may not be THAT old, it’s old enough that it doesn’t work with the latest security protocols & ciphers, and so when you lock-down your site to support only the most secure stuff, you’ll end up blocking those folks on older platforms from visiting your site. But what can you do? Unless that minority of visitors on older technology is bringing in enough revenue to justify the cost of not being PCI compliant (if that’s even an option with your payment processor), it has to be done. (Unfortunately, these people who try to visit your newly locked-down site will usually just get a generic error page from their browser saying the site couldn’t be found, so they’ll never know that the site is alive and well and they just need to update their software! Oh well…)
So, if you want to pass your PCI certification and keep Trustwave’s TrustKeeper PCI Manager (among others) happy, how can you do it? Here’s what worked for me… Read more