Wednesday, November 3, 2010

PCI compliance and SSLv2

So I am doing a PCI audit, and one of the requirements is that there must not be weak cipher support enabled on systems which collect credit cards from the web. I started doing some testing around some of the larger ecommerce sites out there, and it had some pretty startling findings. SSLv3 has been in Browsers since 1996 (think mozilla 2.0... way before we had firefox).

From my testing these sites to have SSLv2 disabled: google, paypal, delta, etrade

These sites don’t have SSLv2 disabled, this is strictly against PCI: Home depot, bank of America, Scottrade, Microsoft, Amazon, QVC, Dell, Orbitz

Really concerning that these big commerce sites allow something like that to slip by the auditors. Time to hire me to fix your compliance :)

No comments: