Compliance standards

Consider the following recommendations on custom cipher suites for when your organization needs to comply with regulatory standards.

Refer to Customize cipher suites to learn how to specify cipher suites at zone level or per hostname.

Also enable TLS 1.3 on your zone and, when opting for PCI DSS, make sure to up your Minimum TLS version to 1.2 . Refer to Cipher suites and TLS protocols to learn more.

​​ PCI DSS

Recommended cipher suites for compliance with the Payment Card Industry Data Security Standard (PCI DSS) External link icon Open external link . Enhances payment card data security.

Cipher suites:

AEAD-AES128-GCM-SHA256 , AEAD-AES256-GCM-SHA384 , AEAD-CHACHA20-POLY1305-SHA256 , ECDHE-ECDSA-AES128-GCM-SHA256 , ECDHE-RSA-AES128-GCM-SHA256 , ECDHE-ECDSA-AES256-GCM-SHA384 , ECDHE-RSA-AES256-GCM-SHA384 , ECDHE-ECDSA-CHACHA20-POLY1305 , ECDHE-RSA-CHACHA20-POLY1305

Formatted array to copy:

The following array does not include the TLS 1.3 ciphers. To use them, you should enable TLS 1.3 on your zone. For details, refer to Cipher suites.

["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]

Recommended cipher suites for compliance with the Federal Information Processing Standard (140-2) External link icon Open external link . Used to approve cryptographic modules.

Cipher suites:

AES128-GCM-SHA256 , AES128-SHA , AES128-SHA256 , AES256-SHA , AES256-SHA256 , DES-CBC3-SHA , ECDHE-ECDSA-AES128-GCM-SHA256 , ECDHE-ECDSA-AES128-SHA , ECDHE-ECDSA-AES128-SHA256 , ECDHE-ECDSA-AES256-GCM-SHA384 , ECDHE-ECDSA-AES256-SHA384 , ECDHE-RSA-AES128-GCM-SHA256 , ECDHE-RSA-AES128-SHA , ECDHE-RSA-AES128-SHA256 , ECDHE-RSA-AES256-GCM-SHA384 , ECDHE-RSA-AES256-SHA , ECDHE-RSA-AES256-SHA384

Formatted array to copy: