The Payment Card Industry (PCI) Security Standards Council has confirmed that its latest Data Security Standard (DSS) 3.1 update, due mid-month, will mandate businesses move away from SSL web encryption because it’s no longer considered strong enough.
The move away from Secure Sockets Layer (SSL) web encryption in PCI DSS 3.1 is in response to the Heartbleed bug last year, Shellshock, Poodle and other such hacker exploits, which exposed inherent flaws in the SSL web security layer.
Online users often only notice SSL when a little padlock appears online to denote that the encrypted transmission of sensitive payment data is now possible, allowing a transaction to go ahead, or when viewing SSL security certificates.
The SSL security fears caused the National Institute of Standards and Technology (NIST), a Department of US Commerce government body, to rule that the web encryption layer should not be considered strong cryptographic protection anymore.
The standard technology for establishing an encrypted link between a web server and a browser will be replaced by a move towards the Transport Layer Security (TLS) encryption protocol instead.
E-commerce businesses will need to make sure their web servers are configured to work with TLS and turn off their SSL support. This could start a rush by merchants to implement the surprise update over the next couple of weeks, in time for PCI DSS 3.1 compliance, although payment processors will likely face the greatest compliance challenge.
The PCI Security Standards Council SSC announcement posted online last month explained that the inherent weaknesses in the SSL version 3.0 protocol would need an unscheduled update. The PCI DSS standard is normally only updated on a three-year cycle, with the next planned originally not due until autumn 2016. PCI DSS 3.0 was released in November 2013.
The SSC statement noted that, "because of weaknesses [Heartbleed, etc -Ed], no version of the SSL protocol meets the PCI Security Standards Council definition of 'strong cryptography [any longer].'"
Commenting on the surprise PCI SSC move, Michael Aminzade, vice president of global compliance and risk services at security vendor, Trustwave, said a number of corporates would no doubt be wondering how the action affects SSL certificates.
“The reality is that TLS is the evolution of SSL (both are encryption protocols) and that both use the same certificates for security,” he said, urging merchants not to panic, but to educate themselves about the transition. “Most businesses will not need to have their trusted CA certificates reissued,” he added.
“The biggest challenge involves payment applications, since many of them use SSL to move payment transactions from the merchant to the processor.”