make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

PCI Version 3.1 - Changes Coming to SSL

02/25/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

At this point, merchants should be aware that PCI Version 3.0 went into full effect on January 1, 2015, becoming the sole basis for compliance with the PCI Data Security Standards. But more change is in store, including an impactful shift in PCI’s approach to Secure Sockets Layer (SSL) connections. A notice from the PCI Security Standards Council has indicated that a PCI revision to be labeled PCI DSS Version 3.1 is forthcoming. No specific release date has been announced for the revision, but we can expect it in the very near future. So what will the changes look like? And how will they affect businesses?

Leaving SSL behind

Most of the updates are relatively minor adjustments and clarifications, and should not have any significant impact on an organization’s PCI compliance program efforts. But there is one notable shift that very likely will have an impact: PCI Version 3.1 will specifically indicate that no version of SSL will meet the PCI Council’s definition of strong cryptography. You may recall that last year’s Heartbleed attacks exploited vulnerabilities in SSL technology to collect large volumes of private data. The Heartbleed bug was a vulnerability based on the way SSL was implemented, meaning it could be patched, but since that time, additional vulnerabilities have been uncovered in SSL v3 that are inherent to the nature of the protocol. In short, it’s fundamentally broken and no longer considered a secure way to encrypt sensitive data. Now, in light of such weaknesses, the PCI Standards are leaving SSL behind. Based on the information provided by the Council, we expect that the updated rules will specifically prohibit use of SSL v1, v2, and v3 for transmitting credit card data over open, public networks.

What it means for merchants

It’s important to note that this reclassification does not apply to the newer and more secure Transport Layer Security (TLS) protocol. In fact, the Council will likely recommend that merchants utilize TLS to replace prohibited usages of SSL. Because PCI Version 3.0 already requires the use of strong encryption, the Council doesn’t regard this update as a “significant” change to the Standards, but the fact remains that for many organizations this will represent a considerable shift. In the past, the Council has acknowledged significant changes to the PCI standard by allowing a “phase-in” period to lessen the burden on affected entities, and it is possible that the Council will provide a similar window with this change. To get a head start on the transition, organizations can reference the instructions at https://disablessl3.com/ to learn how to disable SSL support for a wide range of devices.

For more information on the PCI update and the move away from SSL, contact LBMC directly or watch this space. We will monitor the changes and report details on the release date and other specifics as they are available. Ready to learn more? Be sure to download the free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.

Get a Quote for PCI Services

Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.

Download LBMC's PCI Compliance Guide

Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.

Download the PCI Guide

Posted in: PCI Compliance