The latest update to the Payment Card Industry Data Security Standard (PCI DSS) is a small but important one. PCI DSS 3.2.1 does away with Secure Sockets Layer (SSL) and early-Transport Layer Security (TLS), the common cryptographic protocols consumers use to connect to secure websites to make payments.
The deadline for replacement of SSL was 30 June 2018.
Simeon Tassev, MD and qualified security assessor (QSA) at Galix, comments: “The PCI DSS standard is updated regularly and, while this latest version does not add anything new, it does make a number of best practices mandatory. The SSL update has been a long time coming. However, it’s especially relevant given the increase in ecommerce and the rapid growth of cyber threats.”
The latest version of PCI DSS mandates that more secure alternatives to SSL, such as the next version of TLS (TLS 1.2), now be used to safeguard payment data.
“This change will affect banks, payment gateways, online retailers and service providers, and e-commerce platforms – essentially any organisation that accepts payments or facilitates secure transactions online,” says Tassev.
What is the urgency and how big is the threat to SSL users?
Tassev explains: “The PCI Security Standards Council issued notices a number of years ago warning that the encryption used in SSL and early TLS protocols was no longer secure and that payment data was at risk.
“Essentially, if the SSL encryption is broken, the security of the session is compromised — every keystroke within an online session can be recorded and payment details, including passwords or pins made vulnerable. In fact, it would be possible to intercept all payments going through the site.
“While many organisations have put mitigation strategies in place, they continue to allow access to their sites using SSL encryption to ensure users with older browsers can still connect to their sites.
“However, with the release of PCI DSS 3.2.1, organisations that have not removed this option by now will be in breach of the PCI DSS requirements, wilfully putting consumers’ payment data at risk.”
Closing off access to SSL encryption is a matter of running a small script. The change is not expected to impact many users–the browsers affected are those that are over 15 years old, such as Microsoft’s Internet Explorer 6, which was released in 2001.
“I believe that many organisation are ready for the change but it’s important for all service providers, especially those that are using e-commerce and payment platforms to ensure that the changes are implemented. We are tracking a number of larger platform providers for our customers to ensure compliance,” says Tassev.
Other important best practices also become mandatory with the release of PCI DSS 3.2.1.
Many of these are operational process and control changes, enforcing new processes and additional controls. For example, administrators must now begin using two-factor authentication for non-console and remote access to networks.
This means organisations will need implement secondary authentication mechanisms, such as biometrics, to enable access to specific segments of their networks.
“Compliance with PCI DSS standards requires an ongoing effort. It’s important for organisations to prepare for and stay ahead of mandated requirements if they want to ensure their clients’ data is adequately safeguarded.
“As a PCI DSS specialist, Galix is very focussed on helping its clients to understand the context in which PCI DSS standards are issued, and how they can most simply and sustainably implement the necessary changes to secure their businesses and customers,” concludes Tassev.