The Payment Card Industry Data Security Standard (PCI-DSS) is gaining momentum. It requires merchants (and providers) to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.” when dealing with credit card numbers and account information.
One aspect of securing the data is the encryption of the communication between the browser (client) and the server. Most of our customers use Apache web server, and by default, this lets clients use weak encryption protocols and ciphers, mainly for backward compatibility with old browsers.
We recommend our customers to include these Apache configuration directives in their ssl.conf file. In fact, all our VPS images include this by default:
# use strong SSL protocols, specially do not enable SSLv2 SSLProtocol -ALL +SSLv3 +TLSv1 # Do not accept weak SSL ciphers from clients. SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
If you own a SSL certificate, you can test it along with the server configuration using this excellent service from SSL Labs.
To know more about our VPS offering for ecommerce follow this link.