Shopify is not PCI compliant because it still has TLS v1.0 enabled. Please disable this protocol ASAP. After June 30, 2018, having this protocol enabled will be in violation of all ecommerce standards. I have failed a security scan due to this potential vulnerability and have obtained an exception for a year.
Justin - Perhaps I was abrupt in my statement, but this is what I'm being told by a PCI compliance scan that I was mandated to take:
This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.
AFTER June 30th, 2018, the server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Please note the port associated with this finding. This finding may NOT be originating from port 443, which is what most online testing tools check by default.
Here is a link to the document from PCI Security Standards: https://www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf?agree...
My name is Aaron, I'm a guru here at Shopify!
Absolutely understand why you'd be concerned, but good news - as Jason mentioned, we're totally PCI compliant! We currently support TLS 1.2, 1.1 and 1.0. Shopify will use the highest supported version that the client also supports, and we'll discontinue support for TLS 1.0 on or before the June 30th 2018 deadline.
I'l send you an email once I've posted this response - if you'd like a copy of those PCI docs or if you're required by your payment processor to have a risk mitigation and migration plan, just reply to that email and I'll be happy to help out with those resources!
Please feel free to give us a call or start a live chat at any time, we're open 24/7 for your convenience and always happy to assist!
Aaron | Shopify Guru