We have a Payment Card Industry Data Security Standard Update!
The Payment Card Industry Security Standards Council (PCI SSC) has now officially released PCI DSS v3.1. This latest version has been released as part of the 36 month PCI DSS lifecycle and incorporates changes resulting from the end of the version 3.0 feedback period.
Version 3.1 has been published to address vulnerabilities within the Secure Sockets Layer (SSL) encryption Protocol that can put payment data at risk. To the relief of the reader, Version 3.1 provides only minor updates and clarifications to version 3.0 so no need to run for the hills just yet.
For businesses that have been working hard to make sure they are compliant or in line with PCI DSS version 3.0 following version 2.0, a new release of security standards may cause a hint of trepidation or outright panic.
We will attempt to address the changes in this latest update and alleviate concerns you may have for your ongoing PCI projects.
Change defined with version 3.1
Change is good, right?
The PCI Security Standards Council have defined 3 types of change in version 3.1, these are as follows;
- Clarification – “Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.”
- Additional Guidance – “Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic.”
- Evolving Requirement – “Changes to ensure that the standards are up to date with emerging threats and changes in the market.”
Above definitions taken from PCI Security Standards Council PDF, link below. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf
The majority of requirements within version 3.1 haven’t changed dramatically, rather they have been simply updated to add clarification or stronger wording to support version 3.0.
Changes of note:
PCI DSS Requirements
2.2.3, 2.3, 4.1
Exclusion of SSL and early TLS as models of strong cryptography and cannot be used as a security control after 30th June 2016.
Updated testing procedure to recognise all versions of SSL as examples of weak encryption.
Included SMS as an example of end-user messaging technology and added guidance.
Why the change?
Version 3.1 has in essence been implemented following the PCI Council no longer deeming SSL to be a secure technology or best practice and now views all versions of SSL as showcases of weak encryption. There had been various security alerts found to demonstrate that SSL was not acceptable for the protection of data due to inherent weaknesses within the protocol.
Following the focus on SSL and early TLS, this latest version update has also been used as a chance to strengthen the wording on requirements, provide a greater focus on some of the more at risk areas in the threat environment, clarify intent, and provide clearer guidance to a host of requirements.
Ultimately this update is targeted at helping merchants/businesses/organisations understand the intent of the requirements and how to adhere to the controls and apply best practice.
You as a business or a reader with a vested interest in a business should not wait to ensure removal of these now out dated and insecure technologies from your environment (SSL & early TSL). The bottom line is that if any of your business software is running SSL 3.0 or SSL 2.0, then you need to reconfigure or upgrade - as soon as possible.
Timeline to comply with version 3.1
As of now:
SSL and early TLS are no longer considered secure or best practice, merchants are prohibited from implementing technology that relies on the aforementioned SSL or early TLS.
By June 30th 2015:
Merchants completing SAQ’s are required to provide a justification for SSL if they are not able to discontinue use immediately.
By June 30th 2016:
Merchants are no longer allowed to use SSL or early TLS in any way to protect payment data
What to do?
As mentioned above, you will need to upgrade or simply reconfigure to rid yourself of outdated software. In some cases across organisations you may find the need to upgrade one piece of software and reconfigure another.
To upgrade, contact your software vendor to purchase the latest version software.
To reconfigure, seek help form your vendor to simply disable SSL 3.0.
Once these initial steps have been taken, don’t stop there, keep up to date with the latest versions of TSL as and when they are available. Contact a PCI DSS expert like Foregenix, to assist you with further advice in ensuring your business is fully aligned to version 3.1.
If you have made a raft of changes to your IT environment it may be worth considering undertaking penetration testing to ensure there are no gaps or critical vulnerabilities following the changes. While at the minimum regular internal and external vulnerability scans will provide consistent data, again Foregenix can assist with this.