The Lowdown on this Month’s PCI Standards Update
Earlier this month the PCI Security Standards Council released an update to their standards. As of June 30, 2016, SSL and TLS versions, 1.1 or lower will no longer be acceptable security controls (read all of the gory details here). E-commerce merchants must migrate to a more modern encryption protocol (at least TLS v1.2).
But what does it actually mean?
It means that businesses that need to comply with PCI (if you accept credit cards – I mean you) can’t use SSL and TLS version 1.1 encryption protocols to satisfy PCI requirements. Specifically, requirements 2.2.3, and 2.3 – are the requirements that mandate encryption of cardholder data and sensitive information.
Do I use SSL and TLS?
Probably – yes.
SSL/TLS are some of the most widely used encryption protocols on the internet. Unfortunately, they are not perfect, a fact that has been highlighted a number of times in the past year (remember Heartbleed). It’s because of this that PCI is saying no, these can’t be used as your security control.
You can check which versions you are running here.
Another option is to run an ASV scan. It’s a requirement of PCI anyways, and it will help you identify if you are using the affected protocols.
What do I do about it?
Ultimately, you need to convert to TLS 1.2 protocol (at least) but your first step is to make a plan. If you can migrate to the more secure protocol by June 30, 2016 – great! If not, you must document why not, and build a risk mitigation and migration plan.
Here are the recommended steps from the PCI Security Standards Council
- Identify all system components and data flows relying on and/or supporting the vulnerable protocols
- For each system component or data flow, identify the business and/or technical need for using the vulnerable protocol
- Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need
- Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented
- Document a migration project plan outlining steps and timeframes for updates
- Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment
- Perform migrations and follow change control procedures to ensure system updates are tested and authorized
- Update system configuration standards as migrations to new protocols are completed
Overall PCI is saying that early SSL and TLS encryption protocols aren’t secure enough to protect credit card information, so e-commerce merchants should stop using them. If you can’t stop using them immediately, document why, and build a detailed plan that outlines how and when you will be able to upgrade.