Subscribe to our Blog
Well the reason is simple and relates threats such as Poodle, Shellshock and Heartbleed. If these terms mean nothing to you then it is time to brush up on the latest security vulnerabilities. The vulnerabilities have shown up major weaknesses in widely used protocols and applications, most notably Secure Sockets Layer (SSL).
As the SSC is very keen to point out, it continuously monitors threats and vulnerabilities in order to keep the security standards up to date and based on information provided by security researchers and the National Institute of Standards and Technology (NIST), SSL is no longer deemed capable of providing reliable strong encryption. The problem is that there is no known way to address the issues identified in SSL and the only option is to remove it completely and replace it with version 1.2 of TLS (Transport Layer Security).
While this is easy to say, it may be more difficult in practice to achieve (certainly within a reasonable timescale). So despite PCI DSS and PA-DSS being updated shortly to exclude the use of SSL v3 with almost certainly immediate effect, it will require a more pragmatic approach from QSA’s to work with their customers to identify where the older versions of the protocol are used, work out whether the system in question can be updated and a timetable to implement the changes.
When wide ranging problems like this are highlighted it reinforces the need to have a properly implemented risk assessment / risk ranking process along with a comprehensive asset management register to identify any at risk systems quickly and accurately. These have long been requirements of PCI DSS and should be the basis of any IT security management system.
My advice would be to start looking at your network infrastructure now. Don’t wait for the PCI Security Standards Council to issue the revised standards and then risk being on the back foot. Identify vulnerable systems and plan to upgrade or mitigate as soon as possible. If you need help, please contact us below.
The PCI Security Standards Council released a bulletin on 13 February 2015 saying that there would be revised version of the PCI DSS and PA-DSS standards issued shortly. Why is this necessary given that version 3.0 of the standards only came into effect on 1st January 2015?
Benjamin Hosack
Benj Hosack is a Director and co-Founder of Foregenix Limited. Foregenix is a specialist information security business delivering services in Forensics, PCI DSS, PCI P2PE, PA-DSS and information security solutions within the Payment Card Industry. Our technologies are designed to simplify security and PCI Compliance. Specialties: Cardholder Data Discovery - defining and reducing PCI DSS Scope / PA-DSS / PCI DSS / P2PE / Account Data Compromise Investigations. We are specialists in the Payment Card Industry and work with all types of companies in the payment chain (Acquiring banks, Processors, hosting providers, web designers, merchants, systems integrators etc).
See All Articles