PCI Data Security Standard (DSS) 3.1 has a restriction policy for every external internet service. Apart from the TLSv1.0 deprecation, some security settings for the Internet Information Services (IIS) server are required as well. This article shows how to set the security headers and Transport Layer Security (TLS) cipher suite priority required by PCI DSS 3.1.
Security response header
By default, the IIS server doesn't contain security headers. Users have to add the security headers manually. Refer to this Microsoft article: Add a Custom HTTP Response Header (IIS 7).
Please add following security headers to meet the PCI DSS standard:
Trend Micro provides a hot fix to automatically add the aforementioned headers on the Edge server. Please contact Trend Micro Technical Support for assistance.
TLS cipher suite priority
To configure the IIS TLS cipher suite priority, users have to set up a Group Policy:
- Open the Group Policy Object Editor (i.e. Run gpedit.msc in the Command Prompt).
- Go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
- Under the SSL Configuration Settings, open the SSL Cipher Suite Order setting.
- Follow the instructions inside to order the cipher suite.
There are several cipher suite best practice guides on the internet, however, using the Firefox version is recommended: Security/Server Side TLS.
Additionally, Nartac has released a tool called IISCrypto, which provides a PCI DSS 3.1 template including these TLS settings, cipher suite priorities, etc. This tool makes it more convenient for admins to apply or modify these settings in a very quick way.
Many web services could be used to verify the PCI DSS compatibility, for example: