Earlier this year, in response to several high profile retailers making headlines for payment system security breaches, the Payment Card Industry Security Standards Council (PCI SSC) rolled out its latest version of the Data Security Standard. Its primary concern was to address issues related to the Secure Sockets Layer (SSL) encryption protocol.
SSL suffered a number of hits due to vulnerabilities such as the FREAK and POODLE exploits, which resulted in millions of credit card numbers being stolen. Retailers had to take a hard look at the people, processes and technologies in place in their organisations, so as to identify any gaps in infrastructure and applications that could have enabled the breaches to occur.
For any organisation that processes, stores or transmits cardholder data, the PCI DSS can assist in keeping that data secure. Under the rules of the revision, SSL and early versions of TLS (Transport Layer Security) protocol – specifically v1.0 and 1.1 – are no longer considered examples of ‘strong cryptography’.
The move by PCI was in fact prompted by the National Institute of Standards and Technology (NIST), which identified SSL and v3.0 as not being acceptable for data protection purposes. It claimed this was due to “inherent weaknesses within the protocol”.
Companies and organisations have until 30th June 2016 to update to a more recent version of TLS. For those still using SSL and early versions of TLS up until this date, a formal risk mitigation and migration plan must be in place. Effective immediately however, all new implementations must not use SSL or early TLS.
The only exception is for point-of-sale (POS) and point-of-interaction (POI) terminals that have been verified as not being susceptible to all known exploits for SSL and early TLS. Such terminals may continue to use these protocols as a security control after June 2016.
The overall aim of the new DSS is to bring stronger focus to the greater risk areas in the threat environment, as well as more clarity to its own requirements. It places emphasis on the fact that securing cardholder data is a shared responsibility. Organisations must recognise the need to work together in order to better protect their customers’ data, in a payment environment that is growing ever more complex.