Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PA-DSS Compliance Rules Revised to Ditch SSL

The PCI Security Standards Council published revisions to the Payment Application Data Security Standard (PA-DSS) this week to address concerns over the Secure Sockets Layer (SSL) protocol.

The PCI Security Standards Council published revisions to the Payment Application Data Security Standard (PA-DSS) this week to address concerns over the Secure Sockets Layer (SSL) protocol.

Effective June 1, the update aligns the regulation with the latest version of the Payment Card Industry Data Security Standard (PCI-DSS), which was revised recently due to concerns over SSL security. According to the PCI Security Standards Council (PCI SSC), organizations need to understand if and how their payment applications are using SSL and upgrade to a secure version of Transport Layer Security (TLS). Under the new rules, upgrading payment applications and systems to TLS 1.1 at a minium is the only way to properly address recent SSL vulnerabilities such as POODLE and BEAST.

Though PA-DSS 3.1 was effective June 1, there is a transition period for applications currently undergoing PA-DSS 3.0 validations, according to the council. New application submissions to PA-DSS 3.0 will be accepted until August 31, and apps being validated against PA-DSS 3.0 that are “in queue” by Aug. 31 will have until Nov. 30, 2015, to complete the validation process. The expiry date for payment application listings validated to PA-DSS 3.1 is Oct. 28, 2019.

“The Council works closely with the payment security community on any changes made to the PCI Standards,” said PCI SSC Chief Technology Officer Troy Leach, in a statement. “This update falls in line with our mission of pushing for the best security as soon as possible, while empowering organizations to take a pragmatic, risk-based approach to protecting their data.”

The revisions also includes other minor modifications to improve clarity based on stakeholder feedback.

“With the release of version 3.1 of the PA-DSS standard, the PCI SSC has provided payment application vendors with clear guidance on how to best proceed to ensure that their applications align with the PCI DSS v3.1 for which their end-customers (merchants) are responsible,” said Don Brooks, senior security engineer at Trustwave. “Business should reach out to their payment application vendor(s) to obtain information about compliance dates for PA-DSS 3.1 as well as determine any compensating controls or risk mitigation efforts that are required in the short term if longer-term fixes are needed for a given application.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...