TLS 1.2 Migration Bulletin August 2018

Document ID : KB000112735
Last Modified Date : 03/09/2018
Show Technical Document Details
Introduction:
The CA Technologies Payment Security team is going to disable support for TLS 1.1 and earlier versions of TLS/SSL. This is to comply with the payment security industry’s requirements for adopting TLS 1.2. The switch to TLS 1.2 will have nearly no impact on cardholder transactions conducted via browsers. If you use the Data Upload Client, you are advised to switch over to TLS 1.2.
Environment:
Production
Instructions:
 
Dear CA Technologies Payment Security Customer,
 
The CA Technologies Payment Security team is going to disable support for TLS 1.1 and earlier versions of TLS/SSL. This is to comply with the payment security industry’s requirements for adopting TLS 1.2. The switch to TLS 1.2 will have nearly no impact on cardholder transactions conducted via browsers. If you use the Data Upload Client, you are advised to switch over to TLS 1.2.
 
 
The Need for Migrating to TLS 1.2
 
PCI Data Security Standard version 3.1 describes the following requirements that directly impact the cryptography protocol implemented in a payment security solution:
 
  • Requirement 2.2.3: Implement additional security features for any required services, protocols, or daemons considered insecure.
  • Requirement 2.3: Encrypt all non-console administrative access using strong cryptography.
  • Requirement 4.1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
 
An FAQ published by the PCI Security Standards Council states that TLS 1.2 meets the Council’s definition of “strong cryptography.”
 
TLS 1.2 introduces several cryptographic enhancements, particularly in the area of hash functions, with the ability to use or specify SHA-2 family algorithms for hash, MAC, and Pseudorandom Function (PRF) computations. TLS 1.2 also adds support for authenticated encryption with associated data (AEAD) cipher suites.
 
NIST Special Publication 800-52 Revision 1 recommends that agencies develop plans to migrate to TLS 1.2. In addition, Visa has issued bulletins advising users that Visa plans to disable TLS 1.1 on their services.
 
Browser Support for TLS 1.2
Almost all browsers that are currently in use support TLS 1.2. Here are some statistics from the W3Schools website that point to this fact:
Market distribution of browsers
2018Google ChromeMozilla FirefoxMicrosoft Internet Explorer/EdgeApple SafariOperaOthers
July80.1%10.8%3.5%2.7%1.5%1.4%
Google Chrome versions in use
2018TotalC69C68C67C66C65C64C63C62C61Older
July80.1%0.2%2.1%68.6%2.6%1.4%1.1%0.6%0.5%0.3%2.7%
Note: Google Chrome support TLS 1.2 from version 32 onward.
Mozilla Firefox versions in use
2018TotalFF62FF61FF60FF59FF58FF57FF56FF55FF54Older
July10.8%0.7%6.7%1.4%0.2%0.1%0.2%0.1%0%0.1%1.3%
Note: Mozilla Firefox supports TLS 1.2 from version 33 onward.
Microsoft Internet Explorer/Edge versions in use
2018TotalEdge17Edge16OlderIE11Older
EdgeIE
July3.5%0.9%0.5%0.2%1.8%0.1%
Note: Microsoft Internet Explorer supports TLS 1.2 from version 11 onward.
Apple Safari versions in use
2018TotalS11S10Older
July2.7%2.4%0.3%0%
Note: Apple Safari supports TLS 1.2 from version 7 onward.
Opera versions in use
2018TotalO54O53O52O51O50O49OMiniOlder
July1.5%0.8%0.3%0%0%0%0%0.2%0.2%
Note: Opera supports TLS 1.2 from version 12 onward.
As seen from these statistics, there is practically no impact on browser-based transactions or administrative operations. 
 
Data Upload Client Support for TLS 1.2
The Data Upload Client shipped by the CA Technologies Payment Security team supports TLS 1.2.
During the pre-published maintenance window in September 2018, the CA Technologies Payment Security team will switch over to supporting only protocol TLS 1.2 and the following ciphers. Customers who use the Data Upload Client Web Services are advised to ensure that they support TLS 1.2 and these ciphers.
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA 
 
References
 For more information, see:  If you have any questions regarding this maintenance, please contact CA Technologies Support.
 
Thank you, 
CA Technologies Payment Security Team