The PCI Security Standards Council (PCI SSC) has released the latest version of the PCI Data Security Standard (PCI DSS) with an eye towards addressing security concerns related to the Secure Sockets Layer (SSL) protocol.
PCI DSS v3.1 is available here. The update marks the latest critique of SSL security, which has taken a number of hits due to vulnerabilities such as FREAK and POODLE. Under the rules of the revision, SSL and early versions of the Transport Layer Security (TLS) protocol are no longer considered examples of “strong cryptography.” The standard defines early TLS as TLS v1.0 as well as version 1.1 in some cases.
The move by the council follows the National Institute of Standards and Technology (NIST) identifying SSL v3.0 as not being acceptable for data protection purposes due to “inherent weaknesses” within the protocol. As a result, the council decided to update the PCI standard.
According to the new rules, companies have until June 30, 2016, to update to a more recent version of TLS. Prior to this date, existing implementations using SSL and or early TLS must have a formal risk mitigation and migration plan in place. Effective immediately, all new implementations must not use SSL or early TLS.
Point-of-sale (PoS) and point-of-interaction (POI) terminals such as magnetic card readers or chip card readers that enable a consumer to make a purchase that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30.
“We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data,” said PCI SSC General Manager Stephen W. Orfei, in a statement. “The PCI Standards development process allows us to do this based on industry and market input. With PCI DSS 3.1 and supporting guidance we are arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk.”
The fact that the PCI Security Standards Council saw fit to release an out-of-band update underscores the threat recent SSL and TLS vulnerabilities pose to payment security, said Brendan Rizzo, technical director, HP Security Voltage.
“Despite the real and immediate threat, many businesses have annual budgets and resource constraints to contend with which will preclude an immediate response,” said Rizzo. “The fourteen month transition time should address this issue, however companies must begin planning now in order to make sure that they do not overrun this liberal transitionary period. If companies do not start to formalize a plan for appropriate security upgrades right away, any breach that they might incur could result in tough questions being asked and, ultimately, in significant reputational damage – even if it occurs before the PCI Council’s implementation deadline.”