Currently, the majority of Newtek's shared servers have the TLS 1.0 cipher suite enabled. The reason for this is to allow customers using outdated web browsers to view sites hosted on our servers without issue.
Customers who regularly have PCI scans performed on their site may start to receive PCI failures for TLS 1.0 being enabled on the web server that their site is hosted on. For customers facing this issue, the following option exists to help remedy this issue:
TLS 1.0 PCI Scan Failure Remedy:
- Inform your PCI scan provider that you are aware of this issue and taking action to correct this issue by June 30th, 2018.
- PCI Council has deemed it permissible to continue using TLS 1.0 until 6/30/2018 provided the customer grants the scanning company a notice they have a “Mitigation and Migration plan.”
- Most PCI companies have provided a "Mitigation and Migration plan" document for you to fill out and provide to them so that you may pass your PCI scans even with TLS 1.0 being enabled.
- Contact your PCI Scan provider for more information on how to submit a "Mitigation and Migration Plan."
- Once your PCI scan provider has accepted your "Mitigation and Migration Plan" you will then be able to request that your site be re-scanned for PCI compliance.
Trustwave PCI Customers:
This document asks how SSL is used, how you’re mitigating the risks, how you’re monitoring for new vulnerabilities, how you’re ensuring that no new systems added will continue to use TLS, and when your migration plan will be done. Answers for the questions that are contained in Trustwave's "Mitigation and Migration Plan" document may be found below.
- Once you have downloaded and filled out the Trustwave "Mitigation and Migration Plam" document, it must be uploaded to the "Documents" section of your Trustwave TrustKeeper account
- After the document has been successfully uploaded, the TLS 1.0 failure from your scan will need to be disputed in the TrustKeeper portal.
- Navigate to the Scanning tab at the top of the page, search for and select your TLSv1.0 scan failure, and then select Dispute Finding. You will then be presented with a pop-up window for you to submit out the dispute. The dispute may be filled out in similar fashion to the example provided in the second image below:
Mitigation and Migration Plan - Official Response