A few days ago, in what we didn't anticipate would be an expensive experiment, we accidentally activated the "TLS 1.2 Only" switch in our CloudFlare account.
We need to be PCI compliant and even though PCI 3.1 full enforcement won't come till next year, we were playing around with our Cloudflare Crypto settings previous to a PCI scan. We left the switch on by mistake for almost 6 hours.
TL;DR;
We experienced a 20% drop in sales during that period of time.
The long version. We run an e-commerce site with approximately 1,000 transactions a day. 40% from Latinamerica, 20% Europe, 25% US and the rest scattered all over the place.
We started getting support tickets with people complaining of "Secure Connection Failed" errors and (Error code: ssl_error_internal_error_alert).
Unfortunately, due to timezone issues with our customer service and IT staff teams, it took us a few hours to realise what was happening.
We turned off Cloudflare and the issue disappeared. We checked the settings, and disabled the culprit.
Just to be clear, this was not CloudFlare's fault. They specifically warn about potential traffic loss. Their FAQ says:
"We are monitoring browsers and traffic to track the percentage of TLS 1.0+1.1 traffic relative to the total volume of encrypted traffic. In October 2014, this traffic was approximately 30% of all encrypted traffic on CloudFlare's network. In February 2015, this traffic was less than 22% of all encrypted traffic on CloudFlare's network"
The questions is: What happens next year when, in order to be PCI 3.1 compliant, we must use TSL 1.2? Are people going to pass their PCI scans, and then simply revert to allowing TLS 1.0 and 1.1?
We have a pretty representative western based traffic pattern, and for us it was "only" a 20% drop, but if we include Asia and Africa, I'm sue that number is going to be higher.
Any idea of what other merchants or even payment gateways (Stripe et al) are going to do?
