PCI standards

Is anyone else having problems with the new PCI standards? We have been having problems with the use of SSL ciphers weaker than 128 bits.

 

The scan now says that we fail because the server we are using uses less than 128-bit encryption.

 

We have recently removed SSL 2 and all "weak" ciphers under 56 bit from all the servers (though those changes will not go into effect until the servers are rebooted, which may not be for a few weeks). That is where the bulk of the PCI scans failed.

But I have to say it's unlikely that we will remove all ciphers under 128 bit. The rules always change depending on who is doing the evaluation. To really technically satisfy them a server would be rendered unusable for shared hosting.

If you have a PCI scan that fails due to the presence of SSL 2 or ciphers under 56bit, let us know and we may be able to restart the server before scheduled maintenance.

 

Is it possible for you to do this? Our scan is still failing.