PCI DSS 3.1 Forces Move From SSL to TLS

E-commerce firms will be forced to migrate their web servers from SSL to TLS support later this month or face non-compliance with the latest version of industry standard PCI DSS.

The Payment Card Industry Security Standards Council (SSC), which manages the standards, will release version 3.1 in response to damaging vulnerabilities such as Heartbleed, Shellshock and POODLE, which take advantage of security holes in the protocol.

Online merchants will have to switch off SSL and ensure their web servers support TLS, while bricks and mortar stores may need to tweak payment applications and should consult their provider, security vendor Trustwave advised.

As both TLS and SSL use the same certificates for security, firms will not need to get their trusted CA certs reissued, the vendor added.

Trustwave vice president of global compliance and risk services, Michael Aminzade, claimed that the biggest challenge facing firms would be with their payment apps, as many of them use SSL to secure communications between merchant and third party processor.

PCI DSS 3.0 only took full effect on 1 January 2015, but SSL has come under increasing criticism in recent months after high profile flaws were found – so the PCI SSC has decided to act now.

It follows the US National Institute for Standards and Technology, which last year released advice urging all federal agencies to upgrade to TLS 1.2.

The PCI SSC had the following earlier this year:

“The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC’s definition of ‘strong cryptography,’ and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary.”

However, merchants will be given a short grace period in which to get compliant.

The “impacted requirements will be future-dated to allow organizations time to implement the changes,” PCI SSC said.

What’s Hot on Infosecurity Magazine?