Confirmation about PCI Compliance


#1

Can you confirm that clients will be able to be PCI compliant if they use Let’s Encrypt?

If SSLabs can give you an A+ with it, I can’t see a problem, but would be nice to get a confirmation.


#2

There are two aspects you’ll have to look at - the CA Let’s Encrypt and your TLS configuration. The former is probably not really in scope for PCI, other than things like not using SHA-1 certificates (which Let’s Encrypt doesn’t issue anyway).

When it comes to your TLS configuration, my understanding is that you’re not allowed to use SSLv2, SSLv3, TLSv1.0 or RC4 (though I think there might be a grace period for some of these requirements). I believe the reference client would meet those criteria, but a quick check via SSL Labs should be able to confirm if any of those protocols or ciphers are supported.

Disclaimer: I’m not a lawyer or a PCI auditor. I’m not aware of any “official” documents with regards to PCI compliance of Let’s Encrypt, but as I mentioned my understanding is that the CA is not in scope.


#3

That’s sorta what I figured. Are there any big commerce sites out there using it already? Useful as an example. That and running them by:

https://www.ssllabs.com/ssltest/

Establishing a good precedent is important!


#4

Does PCI compliance require OV or EV certificates? Because that’s the only way I could see that an LE cert wouldn’t be satisfactory.


#5

Adding this to flush out the docs on this a bit. There are Domain Validated (DV) Certificates, Organization Validated (OV) Certificates (which includes Let’s Encrypt) & Extended Validation (EV) Certificates.

At this point from what I’ve read, PCI doesn’t require EV.

Now the PCI standards will change at some point. There are folks pushing for EV to become part of the standard for processing credit card transactions:
http://www.practicalecommerce.com/articles/2248-SSL-Certificates-Extended-Validation-Worth-the-Cost-

But that’s a bridge we can cross when/if it happens.


#6

Let’s Encrypt certificates are DV, not OV.


#7

Ok. I assumed OV because isn’t LE an organization? Isn’t DV closer to self-certifying?


#8

The certificates are signed by a publicly trusted root CA, so they’re not self-signed (or self-certified).

The validation levels are about the kind of validation a CA performs on the information included on a certificate.

Domain validation means a CA has verified you have full control over a domain name. OV means you can also include your organization’s name in the certificate details, and that the CA has checked that’s actually you. This is a manual process which cannot be fully automated, so it’s not really something that can be provided for free. EV is basically the same, except that the check is more thorough. EV gets special treatment in some browser UIs (generally, the organization’s name is shown next to the lock). OV isn’t really treated any different; users won’t notice the difference between DV and OV unless they click through various browser dialogs to look at the certificate details.


#9

Very useful. Thanks!


#10

You may find the post CHALLENGE for the A+ 100% Junkies usefull.
There is an link to chek PCI compliance. And there is discussed why an High SSLLABS ratings and PCI rating.
Is not possible at the same time. Since PCI have some mandatory sites that lower the rating. (percentage not A+).


#11

Cool, I hadn’t seen https://www.htbridge.com/ssl/ before. Interesting discussion on evaluating SSL for optimal security.


#12

Our server has a Letsencrypt certificate - Trustwave are happy with this, but failed us because you can send a mail connection request (telnet) over port 25 before the STARTTLS command is issued, although you can’t get anywhere until its - weird or what?

Our solution here is to put the Credit Card machine on a new second internet connection, with all the other stuff on a separate static IP, that was cheaper than moving the mail system to an external hosted service. So with no mail system we passed PCI compliance with our Letsencrypt certificate, with a mail system we failed.

They also failed us on TLSv1.0, SSLv2 and SSLv3, although these protocols are specifically banned in our Apache and Postfix config files! They then emailed us and told us “False Positives sometimes occur” - but they still failed us without asking for proof we don’t allow these protocols, nor will they retest for one month - these people really need to get some experience in the real world.

Hope this helps you, Cheers, Clock.


#13

For those pushing for EV certificates, I think it makes excellent sense for payment processors to have an EV certificate to provide the highest possible assurance of their identity.
Then, with CloudFlare claiming PCI-DSS compliance maybe it means the bar isn’t really that high, considering the Ars Technica article I read about how they provision datacenters…


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.