Payment Card Industry Data Security Standard (PCI DSS) 3.0 will be officially retired today, with firms warned not to use SSL or early TLS for any new projects to secure payment data.
PCI DSS 3.1 was introduced back in April as a response to major security flaws discovered in the open source SSL, including Heartbleed, Shellshock and POODLE.
Firms have a grace period of until 30 June 2016 in which to implement v3.1 compliance, but they will not be able to roll out any new systems with SSL or early versions of TLS from today.
The update means online merchants will have to switch off SSL in web servers and support the latest version of the Transport Layer Security protocol. Bricks and mortar stores will also need to pay attention, especially if they have any payment apps using SSL that may need updating.
The US National Institute for Standards and Technology last year told all government agencies to upgrade to TLS 1.2 as standard.
The speed with which PCI DSS 3.1 was issued – just months after v3.0 took effect on 1 January 2015 – highlights the seriousness with which the industry is treating the series of major flaws discovered in SSL.
“SSL and TLS could allow attackers to perform man-in-the-middle attacks and read what was thought to be authenticated encrypted communications,” explained Venafi vice president of security, strategy and intelligence, Kevin Bocek.
“As explained in the PCI SSC guide ‘Migrating from SSL and Early TLS’ organizations must identify use of SSL/TLS; plan a remediation strategy and move to the secure protocols; encrypt data before transmission; or apply additional layers of transmission security that are not vulnerable, such as IPSEC.”
He added that the payment card industry is trying to send a message to merchants to be ready to respond and remediate quickly in the event of any new security challenges in the future.
“Future scenarios may require much shorter remediation time frames and require not just changes to configurations, but also replacement of cryptographic keys and digital certificates, much like with Heartbleed,” Bocek claimed.
“Finding all keys and certificates, determining what should be trusted and not, and automatically replacing and responding to vulnerabilities are important steps in preparing for a future where more encryption will be used and more vulnerabilities and attacks are certain.”