- This post is a reminder for our customers whose sites and other properties are compliant with PCI DSS. It is time to stop supporting the SSL and older TLS protocols in your PCI-compliant applications.
PCI DSS requires that merchants and service providers disable support for SSL and older versions of TLS by June 30, 2018. It is strongly recommended that as of that date, only TLS version 1.2 or higher be supported, although in some cases, version 1.1 with strong cipher suites may be acceptable.
Akamai is ready to address this requirement, and customers need to make a few configuration changes to ensure that their sites will only negotiate secure connections using newer versions of TLS (and related cipher suites), while data moves through Akamai’s platform.
Key Connections on the Secure CDN that Impact Cardholder Data
From a customer’s perspective, the flow of cardholder data generally moves between the end user’s web browser client (“Client”), various Edge servers on Akamai’s Intelligent Platform (the “Edge”), the customer’s origin server (“Origin”), and the Luna Control Center (“Luna”). Data flows between these components in the following ways:
- Between end user client web browsers and an Akamai Edge server (“Client to Edge”);
- Between servers on Akamai’s Intelligent Platform, or between various Edge Servers (“Edge to Edge”);
- Between the customer’s origin (web host) server and one of Akamai’s Edge servers (“Edge to Origin”);
- Between the Luna Control Center, where customers configure their Akamaized sites andi an Akamai Edge server (“Luna to Edge”); and
- Customer client to Luna Control Center, the connection between a customer’s web browser (or API, as appropriate) to Akamai’s Luna Control Center or related configuration application (“Client to Luna”).
Configure Your Connections to Remove SSL and Old TLS
Akamai already uses only TLS 1.2 or higher for “Edge to Edge” and “Luna to Edge” connections, so customers should focus on the remaining three connection types.
- Client to Edge Connections: Using the Certificate Provisioning System application in the Luna Control Center, customers may configure their Secure CDN slots to only use new versions of TLS. For each certificate, use the “View and Edit Deployment Settings” and review the “Advanced Network Configuration” section. The “TLS Protocol Versions” settings should select “Disable specific TLS versions” and then also check the box for “TLS 1.0” and “TLS 1.1.”
- Edge to Origin Connections: Customers should configure their origin servers to only accept connections using TLS 1.2 or higher. The Akamai Secure CDN will negotiate the best TLS version to use with origin servers when establishing connections. Alternatively, customers may contact Akamai Professional Services and request that advanced metadata be added to their property configurations to specify the specific TLS versions to use for origin connections. See http://akamai.me/OriginProtocols for more details.
- Client to Luna Connections: Customers should ensure that all of their users with the ability to log in to the Luna Control Center or other Akamai configuration tools are doing so with modern web browsers or other clients that support the use of TLS version 1.2 or higher. Akamai has many global customers for whom PCI DSS is not a priority, and who may still use older clients and browsers to access Luna. In order to maintain backward compatibility, Luna must support the use of older protocols for those customers. As long as our PCI compliant customers use modern clients, Luna will negotiate all connections with approved versions of TLS, and customers can continue using Luna in a PCI compliant manner.
Select the Appropriate Ciphers
PCI DSS 3.2 requires that strong encryption be used to protect cardholder data. In addition to discontinuing the use of SSL and early versions of TLS, customers should ensure that strong and reliable ciphers be used for their Client to Edge and Edge to Origin connections. Akamai’s suggested list of cipher profiles is maintained at http://akamai.me/CipherProfiles.
Client to Edge Connections: Using the Luna Control Center, customers may select their site’s cipher profile. Selecting recent cipher profile will ensure that only ciphers compliant with the latest standards will be used. Akamai recommends selecting the most recent profile, which at this time is the “ak-akamai-default-2017q3” profile.
- Edge to Origin Connection: Akamai server will present a list of ciphers to the origin, as listed in (http://akamai.me/OriginProtocols). Since the origin controls which protocol and cipher is used, customers should only enable protocols and ciphers that are compliant with PCI DSS 3.2.
Please reach out to your account team or professional service representatives if you have any questions during this transition period.
Lastly, for more information about Akamai's compliance with PCI DSS and other information security standards, including various compliance documentation, please see Information Security Compliance & Standards (access to Luna Control Center is required due to the sensitivity of some of the content).