Compliance standards

Consider the following recommendations on custom cipher suites for when your organization needs to comply with regulatory standards.

Refer to Customize cipher suites to learn how to specify cipher suites at zone level or per hostname.

Also enable TLS 1.3 on your zone and, when opting for PCI DSS, make sure to up your Minimum TLS version to 1.2. Refer to Cipher suites and TLS protocols to learn more.

PCI DSS

Recommended cipher suites for compliance with the Payment Card Industry Data Security Standard (PCI DSS) ↗. Enhances payment card data security.

• Cipher suites:

AEAD-AES128-GCM-SHA256¹, AEAD-AES256-GCM-SHA384², AEAD-CHACHA20-POLY1305-SHA256³, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305

• Formatted array to copy:

Note

The following array does not include the TLS 1.3 ciphers. To use them, you should enable TLS 1.3 on your zone. For details, refer to Cipher suites.

["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]

FIPS-140-2

Recommended cipher suites for compliance with the Federal Information Processing Standard (140-2) ↗. Used to approve cryptographic modules.

• Cipher suites:

AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-RSA-AES256-SHA384

• Formatted array to copy:

["AES128-GCM-SHA256", "AES128-SHA", "AES128-SHA256", "AES256-SHA", "AES256-SHA256", "DES-CBC3-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA384"]

Footnotes

1. Same as TLS_AES_128_GCM_SHA256. Refer to TLS 1.3 cipher suites for details. ↩

2. Same as TLS_AES_256_GCM_SHA384. Refer to TLS 1.3 cipher suites for details. ↩

3. Same as TLS_CHACHA20_POLY1305_SHA256. Refer to TLS 1.3 cipher suites for details. ↩

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!