Impact on SSL from the revised PCI DSS v3.1 Standard on organisations handling cardholder data

Apr 27, 2015

The recently announced updates to the PCI DSS standard result in all versions of the SSL protocol and early versions of the TLS protocol (TLS v1.0) no longer meeting the PCI SSC’s definition of “strong cryptography”. Organisations handling cardholder data must seek to be compliant with these revised standards and will be required to make changes to their IT infrastructures by discontinuing the use of SSL and TLS v1.0 and moving to more suitable options by 30 June 2016. The suitable options at present are the recent versions of TLS giving preference to the latest version of TLS, v1.2 as a long term solution.

Safeguarding tools and services, with suitable security solutions make it harder for malicious individuals to take advantage of commonly used points of compromise within a network which can put payment data at risk.

The Secure Sockets Layer and Transport Layer Security Protocols (SSL/TLS) are widely used to secure communications between two endpoints, a client such as a web-browser and a server. A number of vulnerabilities have been discovered in SSL/TLS over the years and all versions of SSL and early versions of TLS could allow a remote attacker to obtain sensitive information and can no longer be relied upon to protect the transmission of data over public or untrusted communications networks.

PCI DSS v3.1 mandate that SSL and early TLS cannot be used as security controls to protect payment data after 30 June 2016. Organisations will not be compliant after this date if they continue to use SSL and/or TLS v1.0 in their environments.

In line with PCI SSC recommendations, organisations should risk assess their current use of SSL and TLS v1.0 protocols and discontinue their use. Where it is not possible to migrate away immediately, a formal risk mitigation and migration plan must be put in in place. Additionally, SSL and/or early TLS must not be introduced into environments where they don’t already exist.

Guidance on interim risk mitigation approaches; migration recommendations and alternative options for strong cryptographic protocols have been outlined in the PCI SSC Information Supplement “Migrating from SSL and Early TLS”. Organisations should refer to this document when considering their immediate next steps.

The revised standards allow POS POI terminals to continue using SSL and early TLS when it can be shown that the POS POI is not susceptible to the currently known exploits. At present, it is seen to be more difficult to exploit vulnerabilities against POI terminals due to their specific characteristics. However, as attacks are evolving continuously, we recommend that organisations err on the side of caution and also consider upgrading POI terminals where possible.

When upgrading to TLS, preference should be given to TLS v1.2 as not all TLS v1.1 implementations are secure. TLS v1.2 supports numerous cipher suites and it is recommended to configure servers to only support strong ciphers using sufficiently large key sizes. Organisations should refer to NIST Special Publication 800-52 Revision 1, guidelines for the selection, configuration, and use of Transport Layer Security (TLS) implementations, for guidance on securing TLS configurations and work closely with their IT departments and security teams to ensure that the upgrades are secure.

Due to widespread use of SSL and the complexity of PCI environments, we have received feedback from our clients that they anticipate significant challenges in assessing the impact of these new requirements and in planning the required changes to suit their environments. Organisations are also likely to face challenges in carrying out the necessary changes in the required timeframe and ensuring that their operations are not affected.

Failure to implement effective and robust transport layer security will expose sensitive data. 7Safe recommends that organisations review their environment to identify appropriate mitigations such as disabling SSLv3 and disabling insecure cipher suites lower than 128bits security level.

To find out more about how to become compliant with PCI DSS contact us.

Authors: Sriram Srinivasan and Aditi Ramachandran.