Enforcing Strong TLS Ciphers
Testing Inbound and Outbound Traffic
In order to encrypt the transmission of CHD across open, public networks, the PCI DSS stipulates a specific testing procedure in PCI Requirement 4.1.c. It says, “Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit.” You must directly test traffic to ensure that insecure ciphers are not utilized. Of course, the latest version of TLS is going to change over time as the next version comes out. Right now, our latest version is TLS version 1.3, so the minimum version you should be supporting is version 1.2. Older versions of TLS or legacy SSL protocols are all known to have fatal security flaws and do not provide protection for data in transit.
Requirement 4.1.c of the PCI Data Security Standard requires that you directly test the traffic that you are allowing your clients to negotiate with your servers to ensure that they are using strong TLS ciphers. One of the very common findings that we have during assessments is that our clients are allowing these insecure ciphers to still be utilized, such as TLS 1.0. So it’s up to you to go in and configure AWS API endpoints, for example, to enforce the use of TLS 1.2.