May 27th, 2015
Risk Mitigation and Migration Plan for Payment Card Industry Data Security Standard (PCI DSS)
70 W. Madison St. Suite 1050
Chicago, IL 60602
Dear Sir or Madam:
Please accept this as the Risk Mitigation and Migration Plan for PCI DSS 3.1 for
A description of where and how we are currently using SSL and/or early versions of TLS, how
we intend to mitigate the risks with these technologies, and our migration plan are listed below.
1. Where are SSL/TLS 1.0 currently used in your environment?
We are currently accepting TLSv1 connections on port 80 and 443 to support older
browsers as many of our customers have not yet upgraded to PCI-DSS 3.1 compliant
We are currently accepting TLSv1 connections on ports 110, 143, 993 and 995 for email
logins from our customers who are not yet able to comply with PCI-DSS 3.1.
2. How are you mitigating risks with SSL/TLS 1.0?
We are currently using TLSv1 to as a security control, but not to protect the
confidentiality of the communication. We do not allow the transmission of customer data
We currently support TLSv1.1 and TLS1.2 and only HIGH encryption for those
customers who are able to use these. Our default communication is set to use the best
possible ciphers and protocols and only allowing downgrades for those customers unable
to use the required level of communication.
3. How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0?
We are continuing our security scanning and should any new vulnerabilities in TLSv1
appear, we will be able to quickly react to prevent any additional risk.
4. How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data
environment? (Meaning, how can you verify that new or upgraded systems connected to
your cardholder data environment don’t contain SSL/TLS 1.0?)
TLSv1 is only currently in our website environment for the connivance of our customers.
No new devices or system will be introduced that support TLSv1 and we are able to
move to new TLS formats as soon as our customer base will support such a move.
5. When will your migration plan from SSL/TLS1.0 be completed?
We expect to be fully migrated by March 2016 or earlier if our customer base is able to
upgrade. Under current testing about half our customers are unable to communicate with
us if we do not support TLSv1.