Hello,
I have a dedicated server that is PCI compliant but I want to move my domain and dns to Cloudflare. Even with my server being PCI compliant, do I need to upgrade to the business plan since it is PCI compliant or will the Pro plan be sufficient?
Thanks,
Andy
Greetings,
Thanks for asking.
I might not be so much familiar, but the least what I know which is required, is to set the “Minimum TLS version” option at least to 1.2 at Cloudflare dashboard → SSL/TLS → Edge Certificates for your domain name.
Furthermore, make sure to have a valid SSL certificate at your origin host/server and use proper “Full (Strict) SSL” option at SSL/TLS tab.
I’d also suggest enabling the “Automatic HTTPS Rewrites”, “Always Use HTTPS”, “HTTP Strict Transport Security (HSTS)” and “TLS 1.3” options.
All that can be applied even on a Free plan as far as I know.
Nevertheless, Pro plan offers “Web Application Firewall” (Managed WAF Rules), “Cloudflare Managed Ruleset” and “Package: OWASP ModSecurity Core Rule Set” which we can enable with a single click and configure per demand.
Combining this with custom Firewall Rules and other security & protection options we have at Cloudflare, per our need, we get a really good one.
You could also enable Rate Limiting for some specific request to protect the checkout/cart/payment page and login pages too.
Despite of this, Pro plan has got an option to “Configure Super Bot Fight Mode” to challenge “Definitely automated” bots.
Furthermore, you can use Firewall Rules to block Amazon AS numbers - there are multiple as far as I remember - and even more like old HTTP/1.0 requests, or block some known “bad” user-agents, crawlers, etc.
Under the Firewall Setings, you can set the Security Level, Challenge Passage, enable Browser Integrity Check and few others.
You could also track your Firewall Events and check for any suspicious or being challenged or blocked, that way you can tune-up and adapt your security settings as you need.
Using Cloudflare Scrape Shield, you can protect written e-mail addresses in your HTML content of a webpage by enabling Email Address Obfuscation for example.
And, I’d suggest using Advanced Certificate Manager (also callted Dedicated SSL) at Cloudflare, if possible in that case.
In other words, the Business plan offers to configure the strong ciphers which are required by the PCI DSS 3.2 → maybe that’s the trick here 
If so, I’d suggest using “Minimum TLS - 1.3” if so and re-check the ciphers via online tools like SSL Labs.
If some “vulnerable” appear, on Business plan it can be disabled and only the “high / strong” ones enabled.
So, if we use “Minimum TLS - 1.2”, we might get the report on the SSL labs for some “old” or “vulnerable” ones which are used and which at Business plan we can disabled.
Nevertheless, in terms of the ciphers, here is the list:
I’d go with Pro plan, and make sure all the above stated is applied (not set Minimum TLS to 1.2, rather to 1.3 → despite some “services” or “users” couldn’t open the Website due to some “old” web browser or OS which doesn’t support TLS 1.3 nowadays?).
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:
Could be I am wrong about this.
Kindly and patiently wait for another reply on this topic.
@fritex Thanks for taking the time with all the detail you provided, it is very helpful. I did do a deep dive in a Cloudflare articles but was still left with questions. The part that kept me guessing is when you look at the Pro plan overview it has a section on “E-commerce Store” where they mention speeding up and protecting your e-commerce site.
The is not required, nor would I recommend this yet. Setting the minimum to TLS v1.2 is sufficient, and will not stop a sizeable percentage of users from accessing your site.
Guidance on configuring your Cloudflare account as one element of your overall PCI DSS compliance is available here:
https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-compliance-and-Cloudflare-SSL-TLS
In general:
While a free plan may well pass a PCI audit, the terms prohibit using a free plan to “process or collect personal or business credit card information”.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.