PCI Council releases PA-DSS 3.1, nixes SSL, early TLS
The PCI Security Standards Council (PCI SSC) published a revision to its Payment Application Data Security Standard (PA-DSS), addressing vulnerabilities in the Secure Sockets Layer (SSL) encryption protocol.
PA-DSS 3.1 updates requirements 8.2, 11.1 and 12.1-12.2 “to remove SSL and early TLS as examples of strong cryptography,” a Monday release (PDF) by PCI SCC said. With the updates PA-DSS 3.1 now syncs with the Council's earlier release of PCI Data Security Standard (PCI DSS) 3.1. The Council noted in the release that if vulnerabilities in SSL are exploited, the security of payment card data can be jeopardized.
“Upgrading payment applications and systems to a minimum of TLS 1.1 (the successor protocol to SSL) is the only known way to remediate SSL vulnerabilities that have been most recently exploited by browser attacks including POODLE and BEAST,” the release said.