The real impact of meeting PCI compliance

Update

On December 18th 2015, the PCI Security Standards Council delayed the date for TLS 1.0 deprecation until June 2018. The full announcement is available here.


The Payment Card Industry Data Security Standard (PCI DSS) was updated to version 3.1 in April this year (2015). One stand out requirement (§ 4.1) in the standard is to disable SSL and “early TLS” by June 30th 2016.

There is also another PCI document which clarifies that “early TLS” refers to TLS v1.0 and that a minimum of TLS v1.1 should be used but goes on to strongly encourage TLS v1.2 be preferred.

SSL v3 has already been long disabled on our platform but disabling all but TLS v1.2 was a little harder to justify as we still see many TLS v1.0 and v1.1 connections to our Edge proxies, although we surprisingly see much less usage of v1.1 than v1.0.

However, the number of connections and requests being performed over older TLS versions is insufficient information to advise a site owner of the real impact of choosing to disable those protocol versions. What we really want to know is the business value of those connections.

Measure

Revenue by TLS protocol version indicating 3.5% for TLS 1.0 and 1.1% for TLS 1.1.

As part of the Section Fully Managed Content Delivery Service we already have Real User Monitoring (RUM) in place to measure other important information like page load times by page type or geo-location and front-end versus back-end times. We also measure revenue so that we can clearly see how changes in website performance lead to changes in purchasing behaviour.

In preparation for the PCI compliance deadline we decided to begin measuring revenue based on the TLS protocol version detected at our Edge proxy. And our initial results were interesting so we’re sharing them here.

Based on the existing connection statistics alone we selected three different e-commerce sites exhibiting the highest ratio of TLS v1.0 connections and applied the new measurements to their RUM configuration. Over a 4 day period from Thursday to Sunday we recorded a combined total of $271,762.00 revenue across all 3 sites. Of that total, 3.5% percent (ie $9,597) came from browsers connected on TLS v1.0 and another 1.1% (ie $3,064) came from TLS v1.1 connections.

With this data we can now have an informed conversation with our customers about the potential impact on their income as a result of complying with the latest PCI standard, with the precise dollar amounts applicable to their site’s actual traffic.

While almost 5% revenue is a significant hit to accept, the upside is that (at the time of writing) there are still 7+ months before the deadline for these numbers to change. While they may not reach zero, we expect them to decline as software and devices are upgraded and other popular websites remove early TLS support, forcing users to update.

If you’d like to know what these numbers would look like for your site, contact us here at Section for more information.

Similar Articles