On 15 April 2015, an updated version of the Payment Card Industry Data Security Standard (PCI DSS v3.1) was released by the PCI Security Standards Council (PCI SSC). Whilst there are minor updates and clarifications to the Standard, the most significant change addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment card data at risk.
Secure Sockets Layer (SSL) is used to encrypt network traffic, most notably web traffic (i.e. https). In late 2014 a significant vulnerability was discovered in SSL version 3, which could allow a malicious user to intercept the encrypted traffic. Upgrading to a current, secure version of Transport Layer Security (TLS), the successor protocol to SSL, is the only known way to remediate these vulnerabilities, which have been exploited by browser attacks such as POODLE and BEAST.
To address this risk, the Standard Requirements 2.2.3, 2.3 and 4.1 have been updated in PCI DSS 3.1 to remove SSL and early TLS as examples of strong cryptography. The revisions are effective immediately, but impacted requirements have later dates to allow for organisations with affected systems to implement the changes:
- SSL and early TLS cannot be used as security controls to protect payment data after 30 June 2016.
- Prior to this date, existing implementations that use SSL and/or early TLS must have a formal risk mitigation and migration plan in place.
- With immediate effect, new implementations must not use SSL or early TLS.
- Point-of-sale (POS)/Point-of-interaction (POI) terminals (devices such as magnetic card readers or chip card readers that enable customers to make a purchase) that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after 30 June 2016.
PCI DSS 3.1 requires a migration plan to be in place which would be formally reviewed as part of an organisation’s annual PCI DSS validation i.e. qualified security auditor report on compliance (QSA RoC).
For those organisation that are not subject to the requirements of PCI DSS, removing this protocol should still be seen as a high priority; this requirement forms a key part of ISO 27001:2013 controls 13.1.2 Security of network services and 12.6.1 Management of technical vulnerabilities.
As a QSA, URM is ideally placed to provide organisations with advice and guidance on the requirements of PCI DSS, but equally with its experience of over 100 successful ISO 27001 certification projects, can assist organisations implement a technical vulnerability management process which will help to address the next vulnerability…as it is identified!