d
Topic
Posts:
3
June 08, 2017

disabling the use of the TLSv1.0 protocol This post is outdated

Shopify is not PCI compliant because it still has TLS v1.0 enabled. Please disable this protocol ASAP. After June 30, 2018, having this protocol enabled will be in violation of all ecommerce standards. I have failed a security scan due to this potential vulnerability and have obtained an exception for a year.

i
Replies
Jason Shopify Expert freakdesign.com.au
Posts:
9261
Last edited June 08, 2017

Shopify is not PCI compliant

This is not true information (and I've also seen the Shopify PCI compliancy docs / certification with my own eyes).

★ Winning Partner of the Build a Business competition. ★ http://freakdesign.com.au
Posts:
3
June 08, 2017

Justin - Perhaps I was abrupt in my statement, but this is what I'm being told by a PCI compliance scan that I was mandated to take:

This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.

AFTER June 30th, 2018, the server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Please note the port associated with this finding. This finding may NOT be originating from port 443, which is what most online testing tools check by default.

Here is a link to the document from PCI Security Standards: https://www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf?agreement=true&time=1496952926521

Aaron B Shopify Employee
Posts:
236
June 08, 2017

Hey, Jean!

My name is Aaron, I'm a guru here at Shopify!

Absolutely understand why you'd be concerned, but good news - as Jason mentioned, we're totally PCI compliant!  We currently support TLS 1.2, 1.1 and 1.0.  Shopify will use the highest supported version that the client also supports, and we'll discontinue support for TLS 1.0 on or before the June 30th 2018 deadline.  

I'l send you an email once I've posted this response - if you'd like a copy of those PCI docs or if you're required by your payment processor to have a risk mitigation and migration plan, just reply to that email and I'll be happy to help out with those resources!

Please feel free to give us a call or start a live chat at any time, we're open 24/7 for your convenience and always happy to assist!

Cheers,

Aaron | Shopify Guru

Posts:
3
June 08, 2017

Aaron - thank you for the quick response. The only ask here is that you disable v1.0 prior to the June 30, 2018 deadline. Since you are already planning on doing that, I'm comfortable with Shopify's PCI compliance. No further follow up needed.