PCI SSC releases version 3.1, eschews SSL, early TLS
Organizations have 14 months to comply with PCI SSC Version 3.1, which addresses vulnerabilities in SSL and early TLS.
After browser attacks like POODLE and BEAST took advantage of vulnerabilities in Secure Sockets Layer (SSL), the latest update to the PCI Data Security Standard, PCI DSS Version 3.1, released Thursday has ditched SSL and early Transport Layer Security (TLS) encryption protocols in favor of the more secure current version of TLS.
Noting “inherent weaknesses” identified in SSL by the National Institute of Standards and Technology (NIST) that could put payment data at risk, a PCI Council release said that upgrading to a more secure version of TLS, SSL's successor, "is the only known way to remediate these vulnerabilities.”
“The fact that the PCI Council saw fit to release an out-of-band update underscores the real threat that the recent SSL and TLS vulnerabilities pose to payment security,” Brendan Rizzo, technical director, HP Security Voltage, said in an email statement sent to SCMagazine.com.
Because SSL and TLS “pre-date the advanced threats we see today,” Mark Bower, global director, product management, HP Security Voltage, explained in an email statement to SCMagazine.com, “they only protect data in transit for limited paths.”
TLS, he noted, “is often terminated at a load balancing tier, for example, before the data then enters cloud or web applications.”
3.1 addresses the risk by removing SSL and early TLS as strong cryptography examples in updates to the standard's 2.2.3, 2.3 and 4.1 requirements. While the Council said the revisions were effective immediately it did allow a “sunset date” of June 30, 2016, so that organizations have time to make the changes, but those companies must implement a formal risk mitigation and migration plan in the meantime. After that date, organizations can no longer use early TLS and SSL as security controls to safeguard payments. The exception is point of sale (POS) terminals that are not susceptible to any of the exploits known for vulnerable versions of the two protocols.
Referring to the 14-month transition period as “liberal” enough to give companies adequate time to make changes, Rizzo urged companies to “begin planning now in order to make sure that they do not overrun” the deadline. He warned that companies that do not begin formalizing security upgrade plans “could result in tough questions being asked and, ultimately, in significant reputational damage” if a breach occurs, even before the PCI Council's implementation deadline.
New implementations are not to use SSL or early TLS protocols either, the PCI Council said.
PCI SSC General Manager Stephen W. Orfei, in a statement in the release, said with updated standards, which are “based on industry and market input,” the PCI SSC is “arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk.”
Despite the fixes and its clear instructions to organizations to implement change, though, “the SSC has a challenging role in trying to balance the risk of vulnerable protocols against the logistical challenges faced by merchants and other organizations involved in the transmission of payment card data,” Andrew Wild, chief information security officer (CISO) of Lancope, said in a statement emailed to SCMagazine.com. “Unfortunately, coordinating the widespread upgrade or replacement of payment card hardware/software isn't trivial, given how geographically distributed the payment systems are.”
The group will retire PCI DSS Version 3.0 on June 30, 2015, but the Version 3.1 is available now on the PCI SSC website.