Projects must not use SSL and early TLS to protect payment data
As of recently CI DSS v3.0 will be retired. Many companies are still unaware that they have a sunset date of 30 June 2016 for PCI DSS 3.1 compliance, but as of recently, any new projects must not use SSL and early TLS as security controls to protect payment data.
Recently Kevin Bocek, Vice President Security of Strategy and Intelligence at Venafi spoke out about this. He stated:
“In April 2015, PCI DSS version 3.1 was published to address vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. Basically, TLS is dead. Long live Transport Layer Security (TLS). Starting today, new projects must not use SSL or early Transport Layer Security (TLS).
After a slew of vulnerabilities, from Heartbleed to POODLE, the PCI Security Standards Council (PCI SSC) determined that all versions of SSL and early versions of TLS could no longer be relied upon to protect cardholder data. SSL and TLS could allow attackers to perform man-in-the-middle attacks and read what was thought to be authenticated encrypted communications. As explained in the PCI SSC guide ‘Migrating from SSL and Early TLS’ organisations must identify use of SSL/TLS, plan a remediation strategy and move to the secure protocols, encrypt data before transmission, or apply additional layers of transmission security that are not vulnerable, such as IPSEC. This migration must be performed by 30 June 2016 to comply with the PCI DSS 3.1.
With the increasing number of vulnerabilities and attacks involving SSL/TLS and cryptographic keys and digital certificates, the PCI is reminding organisations that they need to be ready to respond and remediate quickly. Future scenarios may require much shorter remediation time frames and require not just changes to configurations, but also replacement of cryptographic keys and digital certificates, much like with Heartbleed.
Finding all keys and certificates, determining what should be trusted and not, and automatically replacing and responding to vulnerabilities are important steps in preparing for a future where more encryption will be used and more vulnerabilities and attacks are certain.”
Image source: Pixabay.com