The PCI SSC (Payment Card Industry Security Standards Council) has announced “impending revisions” to PCI standards affecting all compliant organisations that use the Secure Sockets Layer (SSL) cryptographic protocol:
“The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary.”
Weaknesses in SSL v3 include its vulnerability to, among others:
- Renegotiation attack – which allows an attacker who can hijack an https connection to splice their own requests into the beginning of the conversation the client has with the web server.
- Version rollback attacks – whereby an attacker can downgrade the strength of encryption used for communication, making it much simpler to crack. In certain circumstances attackers can recover encryption keys offline and access encrypted data.
- POODLE (Padding Oracle On Downgraded Legacy Encryption) attack – a man-in-the-middle (MITM) exploit that takes advantage of the way that major browsers automatically downgrade to SSLv3, again making it much simpler to gain access to information that should be encrypted.
PCI DSS v3.1 and PA-DSS v3.1
The updates to the PCI standards (which will be designated PCI DSS v3.1 and PA-DSS v3.1) will be effective upon publication, but “impacted requirements will be future-dated to allow organizations time to implement the changes.” The publication date is not yet known.
Until then, the PCI SSC “urges organizations to work with your IT departments and/or partners to understand if you are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.”
Organisations that store, transmit or process cardholder data are advised to upgrade from SSL to TLS (Transport Layer Security) in order to maintain their compliance with the PCI standards.
IT Governance’s PCI consultancy services
Alternatively, email firstname.lastname@example.org or call us on 0845 070 1750 to discuss your requirements.