PCI Scan Failure: TLS 1.0

Currently, the majority of Newtek's shared servers have the TLS 1.0 cipher suite enabled. The reason for this is to allow customers using outdated web browsers to view sites hosted on our servers without issue.
 
Customers who regularly have PCI scans performed on their site may start to receive PCI failures for TLS 1.0 being enabled on the web server that their site is hosted on. For customers facing this issue, the following option exists to help remedy this issue:
 
TLS 1.0 PCI Scan Failure Remedy:
  • Inform your PCI scan provider that you are aware of this issue and taking action to correct this issue by June 30th, 2018.
  • PCI Council has deemed it permissible to continue using TLS 1.0 until 6/30/2018 provided the customer grants the scanning company a notice they have a “Mitigation and Migration plan.”
  • Most PCI companies have provided a "Mitigation and Migration plan" document for you to fill out and provide to them so that you may pass your PCI scans even with TLS 1.0 being enabled.
  • Contact your PCI Scan provider for more information on how to submit a "Mitigation and Migration Plan."
  • Once your PCI scan provider has accepted your "Mitigation and Migration Plan" you will then be able to request that your site be re-scanned for PCI compliance.
 
Trustwave PCI Customers:
 
  • Trustwave provides a "Mitigation and Migration Plan" document that should be filled out with company letterhead for their company. You can find this document at this link: https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-Template
  • This document asks how SSL is used, how you’re mitigating the risks, how you’re monitoring for new vulnerabilities, how you’re ensuring that no new systems added will continue to use TLS, and when your migration plan will be done. Answers for the questions that are contained in Trustwave's "Mitigation and Migration Plan" document may be found below.
  • Once you have downloaded and filled out the Trustwave "Mitigation and Migration Plam" document, it must be uploaded to the "Documents" section of your Trustwave TrustKeeper account
    • To access your Trustwave TrustKeeper account, navigate to https://login.trustwave.com/portal-core/home and login with your TrustKeeper login credentials.
    • Next, navigate to the Documents tab and then select Add Documents
                                                                             
                                         
  • After the document has been successfully uploaded, the TLS 1.0 failure from your scan will need to be disputed in the TrustKeeper portal.
    • Navigate to the Scanning tab at the top of the page, search for and select your TLSv1.0 scan failure, and then select Dispute Finding. You will then be presented with a pop-up window for you to submit out the dispute. The dispute may be filled out in similar fashion to the example provided in the second image below:
                                 
                              
 
Mitigation and Migration Plan - Official Response
 
  • Newtek has generated the following responses for Trustwave's "Mitigation and Migration Plan" document:

    1.     Where are SSL/TLS 1.0 currently used in your environment?
      • Currently, both Windows and Linux shared web hosting environments support TLS 1.0 until June 2018. 
    2. How are you mitigating risks with SSL/TLS 1.0?
      • All risks within the shared web hosting environment are assessed on an individual and case by case basis and are handled by Administrative and high-level Technical Teams.
    3. How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0?
      • We utilize the three primary teams for the monitoring of all potential vulnerabilities, including SSL/TLS 1.0:
        • Server Operations Department
        • Network Operations Department
        • Technical Support Department
    4. How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data environment? (Meaning, how can you verify that new or upgraded systems connected to your cardholder data environment don’t contain SSL/TLS 1.0?)
      • All Windows and Linux based shared web hosting environments built and configured on or after June 30th 2018 will have TLS 1.0 removed and confirmation made by a Senior Systems Engineer.
    5. When will your migration plan from SSL/TLS1.0 be completed?
      • No later than June 30, 2018

Feedback

Add Feedback
Very helpful, thanks.
595672 (December 7, 2015 at 1:35 PM)

Add Feedback