The PCI Security Standards Council has come up with a new version of its data security standard that will end the use of the now rather outdated Secure Sockets Layer encryption protocol which could post a risk to payment data.
The PCI DSS version 3.1, with support guidance, will replace the earlier version 3.0 from June 30. The new guidance will remove SSL, and the earlier versions of Transport Layer Security. The change has been implemented due to popular demand for strong cryptography and much more secure version of TLS.
Despite the revisions being effective immediately, a sufficient timeline for doing away with the older versions has been set to allow organizations to make changes in their systems, said a statement released by PCI Security Standards Council. As a result, SSL and early TLS are no longer to be used as security controls for protecting payment data after June 30, 2016.
“Prior to this date, existing implementations that use SSL and/or early TLS must have a formal risk mitigation and migration plan in place,” the council statement said, adding, “Effective immediately, new implementations must not use SSL or early TLS.”
The council, however, mentioned that point-of-sale terminals that are capable of verification and not susceptible to exploits for SSL and those early TLS could continue to use the protocols as security controls even after June 30, 2016 deadline.
Al Pascual, the director of fraud and security at Javelin Strategy & Research, said that PCI-DSS update is an attempt to address “present-day threat”. But he also warned of the risks involved in using outdated SSL encryption. He said it will be in the best interest of businesses and merchants to upgrade to the most recent changes. He was also of the opinion that PCI deadline of 2016 as “reasonable” for the businesses to upgrade to the new protocol.
The PCI Security Standards Council, while announcing the new security standard, said:
“The NIST identified SSL, a cryptographic protocol designed to provide secure communications over a computer network, as not being acceptable for the protection of data due to inherent weaknesses within the protocol. Upgrading to a current, secure version of Transport Layer Security, the successor protocol to SSL, is the only known way to remediate these vulnerabilities.”
The council’s spokesperson had told the Information Security Media Group that it is “critically important” for organizations to upgrade to the new version as soon as possible.
“The SSL protocol primarily affects website servers and web browsers, so if exploited, it can jeopardize the security of any payment card data being accepted or processed,” the spokesperson added.
The council also stated that the exploits related to SSL and older versions of TLS were POODLE and BEAST. The threat of POODLE (Padding Oracle On Downgraded Legacy Encryption) is that cyber attackers can easily exploit the vulnerability, if any, to undercut TLS or SSL. As such, the attacker can read encrypted messages besides stealing session cookies and impersonate end-users.
The PCI is confident that PCI DSS 3.1will prepare and protect organizations with a much more pragmatic security protocol. Stephen Orfei, PCI SSC general manager said that the upgrade, in addition to addressing the SSL issue, it includes some minor changes, like clarifications of language, extra guidance in the introductory sections and some updates towards specific testing procedures to align with testing of objectives with requirements.
The PCI DSS 3.1 and related support resources can be accessed through the official website of PCI SSC.