At some point this month the group that sets standards organizations have to follow to use credit and debit cards will officially declare Secure Sockets Layer encryption dead.
Instead the Web servers, browsers and payment processing systems of retailers, service providers and others will have to be adapted or converted to use TLS (Transport Layer Security) for secure transmission of card numbers, likely by the end of the year, or be unable to clear a security audit.
It may be a simple change for IT administrators if their software suppliers already have a way to enable TLS, merely clicking a configuration option.
Many organizations have already turned on TLS, which is similar in some ways to SSL but uses stronger encryption algorithms and has the ability to work on different ports. But some businesses may have to push suppliers for updates.
Exactly how many point of sale systems still use SSL isn’t clear. But Don Brooks, a senior security engineer at Trustwave Holdings Inc., which does security assessments for organizations, said in an interview Wednesday that “there are a lot of point of sale vendors that still use the old SSL protocol to transmit credit card data back to the bank.”
“There are metrics out there that say world-wide as many as 75 per cent of Web servers that do ecommerce support non-secure cyphers.”
“If the customer controls their own Web application they need to go into their server and set it up so it no longer supports any substandard encryption method.” Otherwise those who have to follow PCI will have to work with application vendors.
The move by the PCI Security Standards Council to issue a new standard called PCI 3.1 comes only months after PCI 3.0 came into effect, a surprisingly short time for an update. Brooks called it “an extraordinary change.”
But isn’t unexpected: It was inevitable after the U.S. National Institute of Standards and Technology (NIST) concluded SSL can no longer be considered strong cryptographic protection in the wake of browser exploits by Poodle and Beast. The PCI Council mandates that organizations have to use a protocol with strong cryptography to pass a security audit.
Even before that Washington had said SSL was no longer acceptable for organizations needing secure communications with the U.S. government.
On Feb. 13 the PCI Council signaled its intention by announcing a pending revision to its data security standard, warning that as of that date no version of SSL was acceptable. That meant TLS v 1.2 was at least unofficially the new standard.
In case the industry didn’t get the message, last week the council issued a statement making it clear that all PCI DSS and PA-DSS v3.0 documentation will be affected, including: SelfAssessment Questionnaires (SAQ), Attestation of Compliance (AOC), Report on Compliance (ROC), Attestation of Validation (AOV) and Report on Validation (ROV).
While PCI 3.1 will be effective the day it is published, organizations will be given an delayed deadline to allow their systems to be made compliant.
That date hasn’t been set yet, but Trustwave’s Brooks guesses it will be the end of this year.
SSL dates back to the mid-1990s, when it was created by Netscape. Version 3.0 was released in 1996 and has been in use since then. TLS was first defined by the Internet Engineering Task Force in 1999 as an upgrade.