The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of the PCI DSS Standard, ahead of the usual 3 year release cycle for the standard on April 15th 2015.
With many companies already making vast internal efforts on complying with PCI DSS Version 3.0 released which went into effect on 1st January 2015, this new revision has taken many organisations by surprise.
What changes are in the new release?
This new PCI DSS Version 3.1 provides additional guidance on a number of the requirements, aimed at helping QSA’s and organisations understand more fully the intent on the requirements.
There is however one major change, that being an evolving requirement that the PCI SSC no longer consider SSL to be considered strong cryptography. According to the PCI Council FAQ: “The successor protocol to SSL is TLS (Transport Layer Security) and its most current version as of this publication is TLS 1.2,” according to the FAQ. “TLS 1.2 currently meets the PCI SSC definition of “strong cryptography”.
- Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons considered insecure.
- Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
- Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
This change is a result of the discovery of the POODLE vulnerability (or Padding Oracle On Downgraded Legacy Encryption, designated CVE-2014-3566) last year. This meant that encrypted communications could be intercepted by a man-in-the-middle attack at a compromised network such as a Hotel WiFi Hotspot, or compromised ISP. As the vulnerability was a fault within the protocol itself, this is not something which can be easily patched or mitigated through compensating controls.
What do I Need to Do to Comply?
This new standard comes into immediate effect, so your organisation should disable the use of this protocol as soon as is practical. Due to the wide usage of SSL across differing technologies in organisations of varying sizes, the PCI SSC have set a date to 30th June 2016 to implement a newer version of TLS 1.2
Both SSL and early version of TLS are now prohibited. If you are implementing a solution which relies on cryptography for secure data transmission within your organisation, you will need to ensure that you will be using TLS Version 1.2 or above to ensure you will be complying with PCI DSS 3.1.
If you have POS (Point of Sale) or POI (Point of Interaction) Terminal what uses SSL or an early version of TLS, which you can demonstrate as not susceptible to any known SSL attack, these can continue to be used after 30th June 2016
What if i cannot disable SSL or early TLS?
Anyone completing a SAQ (Self Assessment Questionnaire) after 30th June 2015 , will need to advise their acquiring bank, external QSA, internal ISA or card brand what plans you have in-place to disable this weak cryptography, if you are unable to immediately discontinue its use.
You can do this via a Risk Mitigation and Migration Plan (RMMP). It should include at least the following information:
- An explanation of all components and infrastructure using the insecure protocols, and how these are used.
- A risk assessment of the use of SSL/TLS 1.0 in your environment, and the controls implemented to reduce this risk.
- The process you have in-place to keep you aware of any future vulnerabilities with these protocols.
- An internal change control process to ensure your organisation will not introduce the insecure SSL and TLS 1.0 within your infrastructure.
- An SSL Migration Plan for how your organisation will decommission the old protocol, with a target date of before 30th June 2016.
This document should articulate that your organisation has identified the components which are vulnerable, and that a level of acceptable risk has been agreed for the interim period before 30th June 2016
A summary of the changes from version 3.0 to 3.1 can be found here on the PCI DSS Standards Council website.
As a PCI DSS specialist, JAW Consulting UK are well placed to assist organisations with understanding this latest version of the standard.