PCI SSC has issued PCI DSS 3.1 outside its usual cycle in order to respond to threats. So what’s the emergency?
On 15 April 2015, the PCI Security Standards Council (PCI SSC) announced the release of PCI DSS v3.1. Most practitioners are hip deep in upgrading to 3.0 which went into full effect on 1 January, just a few months prior.
Major updates to PCI DSS are usually 36 months (three years) apart. This is needed to give retailers (many of whom are national and possibly international in scope) reasonable time to upgrade and comply.
However PCI SSC can (and in this case did) issue updates outside that cycle to respond to threats, as needed. So what’s the emergency? After all 3.0 required significant changes to the self-assessment questionnaires.
In a word, it’s POODLE, or Padding Oracle On Downgraded Legacy Encryption, designated CVE-2014-3566. The major driver of PCI DSS 3.1 is the industry’s conclusion that SSL version 3.0 is no longer a secure protocol and therefore must be addressed by the PCI DSS.
What is SSL and What Happened to it?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private. Critical for e-commerce, SSL assures that no third party can eavesdrop between your browser and your website as you part with sensitive information like your credit card number.
SSL v3.0 was released in 1996 by Netscape. It was superseded by Transport Layer Security (TLS) 1.0, released in 1999 and updated to v1.2 in 2008.
While weaknesses were identified in SSL 3.0, it was still considered safe for use up until October 2014, when the POODLE vulnerability came to light. POODLE is a flaw in the SSL 3.0 protocol itself, so it’s not something that can be fixed with a software patch.
POODLE allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or email systems.
Although SSL has been superseded by Transport Layer Security, it’s still widely supported on both servers and clients alike and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte and time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.
What does PCI DSS 3.1 Require you to do?
According to the new rules, companies have until June 30, 2016, to update to a more recent version of TLS. Prior to this date, existing implementations using SSL and or early TLS must have a formal risk mitigation and migration plan in place. Effective immediately, all new implementations must not use SSL or early TLS.
Bottom Line
Any business software running SSL 2.0 or 3.0 must be reconfigured or upgraded.
Note that most SSL/TLS deployments support both SSL 3.0 and TLS 1.0 in their default configuration. Newer software may support SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. In these cases the software simply needs to be reconfigured. Older software may only support SSL 2.0 and SSL 3.0 (if this is the case, it is time to upgrade).
A vulnerability scan from a security solution provider will identify insecure implementations.
About the Author
AN Ananth is co-founder and CEO of EventTracker. With an extensive background in product development and operations for telecom network management, Ananth has consulted for many companies on their compliance strategy, audit policy and automated reporting processes. Ananth is a leading expert in IT compliance with over 20 years of experience in IT-control and operations.