SSL is must. PCI compliance is required to accept/store credit card information on your server.
Most small websites (including this), technically doesn’t accept/store customer credit themselves. They simply redirect a customer to PayPal or another payment gateway page.
First and most important option is to enable SSL cache.
Put following lines in /etc/nginx/nginx.conf
ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m;
20m is size of nginx cache. You can adjust it as per your needs.
10m is duration for ssl session timeout. If a user does not send another request before timeout, SSL cache for their session will be cleared.
Just reload nginx for SSL session cache to take effect.
Nginx’s default set of ciphers includes:
This enables strong Diffie–Hellman_key_exchange algorithm which is slow. Since PCI compliance doesn’t need this algorithm, we can safely disable it by explicitly defining ssl_ciphers.
You can check more about ssl_ciphers format here.
Next, lets disable BEAST attack by forcing browsers to use ciphers listed on server side:
Test your SSL setup with SSL Lab.
You may see a complain about “Forward Secrecy”. We let it remain to avoid better speed-up without compromising PCI-DSS compliance.