Will the PCI Council Kill SSL Usage?
In a recent release of the Council’s Assessor Newsletter, which is distributed by the Payment Card Industry (PCI) council, contains an interesting paragraph that will cause some concerns among businesses that have to comply with PCI for online transactions.
Notice: PCI DSS and PA-DSS v3.1 Revisions Coming
In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and updates to the standards are needed to address this issue.
We are working with industry stakeholders to determine the impact and the best way to address the issue. While we do not have the final publication date, our goal is to keep you apprised of the progress and to provide you with advanced notification for these pending changes. We are also preparing several FAQs that will accompany release of the revised standards.
Should you have any questions, please contact your Program Manager.
If the PCI Council officially announces that SSL is no longer deemed a “strong cryptography”, then customers still using SSL version 3.0 for transferring cardholder data (CHD) will need move to transport layer security (TLS) 1.2 and possibly use Internet protocol security (IPSec) to protect CHD in transit.
It should be noted that all versions of TLS less than version 1.2 using an authenticated encryption with associated data (AEAD) cipher suite are cryptographically broken.
Companies are recommended to review configurations on systems and applications to ensure that vulnerable versions of SSL and TLS are no longer supported. Steps should be taken to identify all vulnerable systems and develop a plan to discontinue the use of the vulnerable SSL and TLS protocols.
If you have questions about your PCI compliance program, Sword & Shield can help you plan, analyze, track and monitor your program, which reduces your cost, saves you time and limits your frustration.
Eric Walker is a senior security analyst with Sword & Shield. He performs network vulnerability, penetration testing, web application testing and wireless, firewall, physical and social engineering assessments for a diverse group of commercial and government clients.