Security Experts:

Connect with us

Hi, what are you looking for?



PCI DSS 3.1 to Address SSL Security Holes

SSL – the bell tolls for thee.

SSL – the bell tolls for thee.

PCI DSS 3.1 is expected to be released this month. The update takes aim at the SSL (Secure Sockets Layer) protocol, which is no longer considered by the PCI Security Standards Council to be “strong encryption.” For businesses, this revision will mean taking a hard look at their environments to make sure they are still in compliance.

“SSL is used as a protocol in a host of services, applications and services, many of which – POS systems, WWW hosting, load balancers, etc – may require configuration changes,” said Don Brooks, senior security engineer at Trustwave. “Merchants should contact all third-party vendors and ask for specific information about how [or] if their product or service is impacted.”

In a FAQ, the PCI Security Standards Council explains that the National Institute of Standards and Technology (NIST) has identified SSL v3.0 as not being acceptable for data protection due to “inherent weaknesses” within the protocol. As a result, the council has decreed that no version of SSL meets its definition of strong cryptography.

“The successor protocol to SSL is TLS (Transport Layer Security) and its most current version as of this publication is TLS 1.2,” according to the FAQ. “TLS 1.2 currently meets the PCI SSC definition of “strong cryptography”.”

PIN Transaction Security Point-of-Interaction terminals such as magnetic card readers or chip card readers that enable a consumer to use a payment card to make a purchase can be impacted if the software on these terminals is communicating using the SSL protocol, the FAQ notes.

“As known vulnerabilities are difficult to exploit in this environment, the Council considers this a lower priority risk compared to web servers and browsers,” according to the FAQ. “Organizations will need to remain up-to-date with vulnerability trends to determine whether or not they are susceptible to any known exploits.”

For e-commerce businesses in particular, step one is making sure that none of their systems or servers support any non-secure protocols, including any version of SSL, said Brooks, adding that it was important to look beyond servers because many applications and services support SSL.

E-commerce businesses should also check with any service providers they interact with to ensure they do not use SSL either, advised Gartner analyst Avivah Litan.

“This will be difficult to manage if you have outsourced your ecommerce payment processing to a third party service provider, like an Internet Payment Gateway, who is slow to move off SSL,” she noted.

A similar update for the Payment Application Data Security Standard (PA-DSS) is also forthcoming. Some experts were surprised by the speed of the update, but stated that it underscored the importance of the issue.

“It’s certainly a surprise to see a PCI change moving this rapidly – the normal process is slow and deliberative,” said Mike Lloyd, CTO of RedSeal. “It speaks to the urgency of the issue with SSL. Think of amusement park signs – ‘you must be at least this tall to ride this ride’.  The bar is being moved up.  What makes this particularly noticeable is that the credit card industry (via PCI) are now declaring something unsafe that most people used to think of as safe – SSL.  However, security experts have long known that SSL wasn’t standing up – the longer we’ve worked with it, the more defects have been found.”


Written By

Click to comment

Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...