During the nineteen thirties Waterman produced some of their finest pens, excellent writers made from beautiful celluloid. This one is in the pattern “Moss Agate”. A 32, this is a more slender pen than the 52 and 92 that were available at the same time and in the same patterns. The box lever has been redesigned and protrudes less from the barrel than its predecessor. The pens Waterman made at this time are very sturdy; this one has been around for about 85 years and is still looking very good.
With a pen like this in your hand, you might wonder what the subsequent “development” was all about. Is any later pen better than this? Does it look any better and does it do the job any better?
On another topic entirely, the PCI authority will no longer allow the SSL and TLS 1.0 protocols starting in June. Some of the PCI scanning companies are requiring the change to be made now. This creates a problem since some web shops can’t function if they are not PCI compliant but removing the protocols can cause problems. That doesn’t affect this blog site but it will affect my sales site. The main difference that this will make is that some older browsers will no longer be able to connect to the site. If you still have Vista, which uses Microsoft Internet Explorer v10 or lower you won’t be able to see these upgraded sites.
Goodwriterspens's Blog 
Re: Payment Card Industry Data Security Standard (PCI DSS) Compliance.
You said: “If you still have Vista, which uses Microsoft Internet Explorer v10 or lower you won’t be able to see these upgraded sites.”
Well – things might not be so bleak for us…
As I understand it (note, I’m not an expert in this field, only one exposed to it), strictly speaking after the 30 June 2016 PCI DSS deadline, anyone should still be able to see all of your sales site just fine, with any browser. This is even if you support PCI DSS compliant credit card transactions on your site.
There’s seemingly nothing to prevent us from “seeing” a site that still supports SSL and early TLS with a browser that does not support any later protocols. But if your site is PCI DSS compliant, an older browser that only supports SSL and early TLS protocols will NOT be able to enter into a secure and confidential credit card payment transaction.
So a potential customer running an older browser which only supports SSL and early TLS will be able to peruse your site freely, but when he/she goes to pay for a pending purchase – they are rejected and a message should be provided which explains why as well as recommending a browser upgrade.
But typically, this should be of Zero concern to you as a small merchant…
For most small online merchants, secure credit card transactions would be managed off-site by an E-Commerce payment service provider. The E-Commerce payment provider should be PCI-DSS compliant, so you don’t have to worry about it, that’s a good part of what you pay them for.
—- Citing —-
Ref: PCI SSC, “Information Supplement, Migrating from SSL and Early TLS”, v1.0 April 2015
Can SSL/early TLS remain in an environment if not used as a security control?
Yes, these protocols may remain in use on a system as long as SSL/early TLS is not being used as a security control to provide confidentiality of the communication.
————–
But let’s say that for some reason a small merchant prefers to handle the full E-Commerce gamut him or herself. There’s more to consider now because maintaining security and confidentiality with respect to the processing of credit card transactions becomes the merchant’s responsibility, which means PCI DSS compliance, which in-turn means the merchant should be capable of “surviving” a PCI SSC Approved Scanning Vendor (ASV) compliance scan. (PCI SSC stands for the Payment Card Industry Security Standards Council.)
My take on “Scanning Exposure”…
It is a possibility that an “aggressive” and/or “predatory” ASV (PCI SSC Approved Scanning Vendor) may play loose with interpretation of the PCI DSS and rate your site as vulnerable if ANY SSL/early-TLS is found at any level. As a result you may choose the least expensive path of simply paying a “fine” and removing the “offending” protocol support rather than fight the ASV assessment. The PCI SSC has a colored reputation for this kind of behavior:
There has been litigation and U.S. Congressional testimony about how the PCI SSI and/or ASV’s have acted in a predatory fashion by levying fines, allegedly for-profit. (See the Wikipedia entry for “Payment Card Industry Data Security Standard” for a significant number of fully-cited examples.) Some consider this whole PCI SSC/ASV Cabal to be akin to a “Protection Racket”. (Personally, while I see the potential for this, I wouldn’t go so far.)
Note however, smaller merchants may be spared predatory scans as the return may not be worth the scanner’s effort. “Small” merchants are often delineated by Visa’s Level-4 class which (if memory serves) means you are processing less than 20,000 Visa transactions a year.
But again, it might just be better to avoid the whole issue and pay an E-Commerce service provider to worry about all this PCI DSS and scanning stuff in the first place. Today, E-Commerce transaction service provider costs have come down as competition continues to grow in this area.
Disclaimer: I am not employed by or affiliated with any entity mentioned in this post.
Hi David,
Thank you for the very comprehensive explanation – much better than the one I got from OsCommerce. I do use an e-commerce provider so this affected me very little, but I did want to flag it up to my customers.