PCI DSS Deadline for Disabling SSL/Early TLS Looms
The PCI Data Security Standard (PCI DSS) deadline to disable SSL/early TLS protocols and better protect payment card data is less than two weeks away.
If you're in the financial services industry, have an e-commerce site, or if your business stores, processes or transmits cardholder, the countdown is on.
In order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data businesses need to disable SSL (Secure Sockets Layer) or early TLS (Transport Layer Security) and replace it with a more secure protocol by June 30, 13 days from now.
While TLS 1.1 or higher is acceptable, PCI Security Standards Council (PCI SSC), a Wakefield, Mass. consortium whose executives hail from American Express, Discover, Mastercard, and Visa, strongly encourages TLS v1.2.
TLS 1.2, defined in RFC 5246 in August of 2008, tightens up security all around. It replaces MD5-SHA-1 in the pseudorandom function with SHA-256, and adds support for authenticated encryption with additional data modes, among other tweaks.
The PCI SSC moved the deadline from June 30, 2016 to June 30, 2018 what seems like eons ago, in December 2015. The move, mandated by many companies years ago, aligns with industry best practices for security and data integrity.
The move was spurred years ago by a slew of capitalized, five letter vulnerabilities in SSL/TLS, like POODLE, BEAST, CRIME, and Heartbleed, a nasty bug in OpenSSL, an implementation of TLS, that came to light in April 2014. All of the vulnerabilities demonstrated a weakness, either in a client's ability to fallback to a vulnerable SSL version (POODLE, Heartbleed) or in TLS (BEAST, CRIME).
PCI SSC stresses that organizations either upgrade or disable any fallback to SSL/early TLS. If they haven't already companies in transition should have a formal Risk Mitigation and Migration Plan in place as well.
Failure to comply with PCI-DSS could result in fines, ranging from 5,000 to $500,000. Banks periodically report if merchants are complying to PCI DSS to credit card agencies, which can then choose companies to look into further. Failure to comply could ultimately affect an organization’s ability to take credit card payments as well.
A study carried out by Verizon last year found that 100 percent of PCI certified companies that experienced a breach also failed a PCI compliance audit, meaning none were fully PCI DSS compliant at the time of their breach. Furthermore – and perhaps more alarming – half of those organizations failed to maintain PCI compliance year after year.
There’s only one condition that organizations can still run these deprecated protocols. Only POS POI terminals that have been verified as not being susceptible to exploits can use SSL/early TLS. Otherwise systems using the cryptographic protocols will not considered as demonstrating strong cryptography.
Keeping Customer Financial Data Safe
The PCI Security Standards Council (PCI SSC) made a slight revision to v3.2.1 – which replaced v3.2 – of the standard last month. The revision was primarily pushed to account for dates that have already passed, like February 1 this year, when requirements introduced in PCI DSS version 3.2 needed to be adopted by organizations.
The changes include:
- Removal of notes referring to an effective date of 1 February 2018 for applicable requirements, as this date has passed.
- Updates to applicable requirements and Appendix A2 to reflect that only POS POI (point of sale point of interaction) terminals and their service provider connection points may continue using SSL/early TLS as a security control after 30 June 2018.
- Removal of multi-factor authentication (MFA) from the compensating control example in Appendix B, as MFA is now required for all non-console administrative access; addition of one-time passwords as an alternative potential control for this scenario.
Per usual with payment card security standards, the cycle is in constant flux. PCI DSS v3.2 will remain valid through December 31, 2018 and will be retired as of 1 January 2019.