The PCI Security Standards Council released a bulletin on 13 February 2015 saying that there would be revised version of the PCI DSS and PA-DSS standards issued shortly. Why is this necessary given that version 3.0 of the standards only came into effect on 1st January 2015?
Well the reason is simple and relates threats such as Poodle, Shellshock and Heartbleed. If these terms mean nothing to you then it is time to brush up on the latest security vulnerabilities. The vulnerabilities have shown up major weaknesses in widely used protocols and applications, most notably Secure Sockets Layer (SSL).
As the SSC is very keen to point out, it continuously monitors threats and vulnerabilities in order to keep the security standards up to date and based on information provided by security researchers and the National Institute of Standards and Technology (NIST), SSL is no longer deemed capable of providing reliable strong encryption. The problem is that there is no known way to address the issues identified in SSL and the only option is to remove it completely and replace it with version 1.2 of TLS (Transport Layer Security).
While this is easy to say, it may be more difficult in practice to achieve (certainly within a reasonable timescale). So despite PCI DSS and PA-DSS being updated shortly to exclude the use of SSL v3 with almost certainly immediate effect, it will require a more pragmatic approach from QSA’s to work with their customers to identify where the older versions of the protocol are used, work out whether the system in question can be updated and a timetable to implement the changes.
When wide ranging problems like this are highlighted it reinforces the need to have a properly implemented risk assessment / risk ranking process along with a comprehensive asset management register to identify any at risk systems quickly and accurately. These have long been requirements of PCI DSS and should be the basis of any IT security management system.
My advice would be to start looking at your network infrastructure now. Don’t wait for the PCI Security Standards Council to issue the revised standards and then risk being on the back foot. Identify vulnerable systems and plan to upgrade or mitigate as soon as possible. If you need help, please contact us below.