PCI DSS — the Payment Card Industry Data Security Standard — is a hugely important standard for eCommerce retailers, those who host eCommerce retailers, and anyone else who deals with credit card data. It sets out the requirements that those handling or storing cardholder data must adhere to.
PCI DSS 3.0 came into force in January 2014, and from the start of this year, merchants could no longer validate their compliance with the older version. That has meant a busy year for eCommerce retailers and hosts, who have been scrambling to make sure that they conform to the updated rules.
This April, the PCI will release a further revision to the standard — PCI DSS 3.1 — which contains a direct response to a threat that followers of this blog will be familiar with — SSL v3. SSL is an old and outdated technology first used almost quarter of a century ago, and has long been superseded by TLS in its various revisions. SSL, and SSL v3 specifically, are no longer fit for purpose. Many use SSL as a shorthand to refer to the method of encryption most often used to protect Internet users and sites from prying eyes, but it’s more correctly referred to as SSL / TLS and with the new standards, simply TLS, which has long been the recommended cryptographic protocol.
The POODLE vulnerability, which had heads spinning last year, was possible because many sites still offered support for the older standard. Malicious attackers were able to force browsers to reduce their security level and use SSL v3, which was, and still is, vulnerable to a padding attack, leaving open the possibility that attackers could read the content of supposedly encrypted data.
According to the PCI:
“The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary.
After working with stakeholders over the last several months to understand the impact to the industry, the Council will soon publish PCI DSS v3.1 and PA-DSS v3.1 to address this issue and provide other minor updates and clarifications”
In reality, all hosting companies should have stopped using SSL a long time ago, but the Internet is full of legacy servers and devices that don’t support more modern cryptographic technologies, which is why browsers supported the older protocol in the first place. The PCI have taken the unusual decision of forcing the issue. To be compliant after PCI DSS 3.1 goes into effect, hosts and others who need to be PCI-compliant can no longer support the outdated protocol.
Recognizing that it might not be easy for companies to upgrade their infrastructure and software stack, the PCI is providing a period of grace. The new standard went into effect this month (April 2015), but the grace period means merchants don’t have to comply until the end of June, 2016. However, the PCI expects merchants to implement the changes as soon as possible and have a roadmap in place to remove SSL v3 support.