Security Experts:

PCI DSS 3.1 to Address SSL Security Holes

SSL – the bell tolls for thee.

PCI DSS 3.1 is expected to be released this month. The update takes aim at the SSL (Secure Sockets Layer) protocol, which is no longer considered by the PCI Security Standards Council to be "strong encryption." For businesses, this revision will mean taking a hard look at their environments to make sure they are still in compliance.

"SSL is used as a protocol in a host of services, applications and services, many of which - POS systems, WWW hosting, load balancers, etc - may require configuration changes," said Don Brooks, senior security engineer at Trustwave. "Merchants should contact all third-party vendors and ask for specific information about how [or] if their product or service is impacted."

In a FAQ, the PCI Security Standards Council explains that the National Institute of Standards and Technology (NIST) has identified SSL v3.0 as not being acceptable for data protection due to "inherent weaknesses" within the protocol. As a result, the council has decreed that no version of SSL meets its definition of strong cryptography.

"The successor protocol to SSL is TLS (Transport Layer Security) and its most current version as of this publication is TLS 1.2," according to the FAQ. "TLS 1.2 currently meets the PCI SSC definition of “strong cryptography”."

PIN Transaction Security Point-of-Interaction terminals such as magnetic card readers or chip card readers that enable a consumer to use a payment card to make a purchase can be impacted if the software on these terminals is communicating using the SSL protocol, the FAQ notes.

"As known vulnerabilities are difficult to exploit in this environment, the Council considers this a lower priority risk compared to web servers and browsers," according to the FAQ. "Organizations will need to remain up-to-date with vulnerability trends to determine whether or not they are susceptible to any known exploits."

For e-commerce businesses in particular, step one is making sure that none of their systems or servers support any non-secure protocols, including any version of SSL, said Brooks, adding that it was important to look beyond servers because many applications and services support SSL.

E-commerce businesses should also check with any service providers they interact with to ensure they do not use SSL either, advised Gartner analyst Avivah Litan.

"This will be difficult to manage if you have outsourced your ecommerce payment processing to a third party service provider, like an Internet Payment Gateway, who is slow to move off SSL," she noted.

A similar update for the Payment Application Data Security Standard (PA-DSS) is also forthcoming. Some experts were surprised by the speed of the update, but stated that it underscored the importance of the issue.

"It’s certainly a surprise to see a PCI change moving this rapidly – the normal process is slow and deliberative," said Mike Lloyd, CTO of RedSeal. "It speaks to the urgency of the issue with SSL. Think of amusement park signs – ‘you must be at least this tall to ride this ride’.  The bar is being moved up.  What makes this particularly noticeable is that the credit card industry (via PCI) are now declaring something unsafe that most people used to think of as safe – SSL.  However, security experts have long known that SSL wasn’t standing up – the longer we’ve worked with it, the more defects have been found."


view counter