DSS 3.1 Using More Secure TLS

Monday, April 20, 2015 @ 01:04 PM gHale


After a series of attacks took advantage of vulnerabilities in Secure Sockets Layer (SSL), the latest update to the PCI Data Security Standard is using the more secure current version of Transport Layer Security (TLS).

Noting “inherent weaknesses” identified in SSL by the National Institute of Standards and Technology (NIST) that could put payment data at risk, a PCI Council release said it latest update, PCI DSS Version 3.1, which released Thursday, will use the more secure version of TLS “is the only known way to remediate these vulnerabilities.” TLS is SSL’s successor.

RELATED STORIES
Free Code Used for Ransomware
Cryptowall: New Version of Ransomware
IL Police Meet Ransomware Demands
DDoS Attack Costs on Rise

Version 3.1 addresses the risk by removing SSL and early TLS as strong cryptography examples in updates to the standard’s 2.2.3, 2.3 and 4.1 requirements.

While the Council said the revisions were effective immediately it did allow a “sunset date” of June 30, 2016, so organizations have time to make the changes, but those companies must implement a formal risk mitigation and migration plan in the meantime.

After that date, organizations can no longer use early TLS and SSL as security controls to safeguard payments. The exception is point of sale (POS) terminals that are not susceptible to any of the exploits known for vulnerable versions of the two protocols.

New implementations are not to use SSL or early TLS protocols either, the PCI Council said.

PCI SSC General Manager Stephen W. Orfei, said with updated standards, “based on industry and market input,” the PCI SSC is “arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk.”

Despite the fixes and its clear instructions to organizations to implement change, though, “the SSC has a challenging role in trying to balance the risk of vulnerable protocols against the logistical challenges faced by merchants and other organizations involved in the transmission of payment card data,”

The group will retire PCI DSS Version 3.0 on June 30, 2015, but the Version 3.1 is available now on the PCI SSC website.



Leave a Reply

You must be logged in to post a comment.