Skip to the main content.
Contact
Contact

1 min read

PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates

The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they will be detailing several clarifications and changes to requirements. One of the major changes that will be included in v3.1 is that all versions of SSL are no longer considered acceptable as “strong cryptography”. The bulletin from the council states that adherence to PCI DSS v3.1 and PA-DSS v3.1 standard will be immediate with future-dated requirements to allow organizations time to implement changes.

As of this date, the PCI Council has not released the revised version of the standard. In the meantime, you may hear speculation regarding the content and on dates when requirements or technologies such as SSL will be considered non-compliant. As with all changes to the PCI standards, once we have the official details from the council and can review their guidance then we will be able to properly ascertain the impact to our customers and provide the best options to support their ongoing compliance.

While browsers, web servers, and similar applications are most at risk, a decision to deprecate all SSL equally would have farther reaching impact including imbedded devices and payment terminals. Until we learn more, we recommend that organizations begin planning now and be prepared to prioritize any remediation plans.

Based on the details in the bulletin, we recommend you review the current SSL technology used in your environment. This technology may be in place for compliance with particular requirements such as 4.1 (transmission over public networks) and requirement 2.3 (remote administrative access) or to limit scope. When reviewing the various technologies, you may need to consult with vendors, solution providers, or subject matter experts to confirm that you are leveraging more secure protocols. We recommend trying to leverage the most current versions of TLS available (TLS 1.2 and 1.1 as of this writing, TLS 1.0 should be avoided) and to implement new versions as they become available. We also recommend prioritizing the selection of stronger versions of TLS over weaker ones to reduce risk.

Below are the PCI Council bulletin and the referenced NIST standards

We have already assisted several clients with vulnerability analysis of several non-browser based SSL wrapped protocols.

We will provide updates and analysis as more information becomes available.

Control Gap Vulnerability Roundup: August 13th to August 19th

3 min read

Control Gap Vulnerability Roundup: November 12th to November 18th

This week saw the publication of 500 new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More

16 min read

This Week's [in]Security - Issue 294

Welcome to This Week’s [in]Security. PCI Mobile Payments, FAQs, Training, Magecart & fraud. More on the FTX and Twitter metldowns. New breaches:...

Read More
Control Gap Vulnerability Roundup: August 13th to August 19th

3 min read

Control Gap Vulnerability Roundup: November 5th to November 11th

This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More