The Payment Card Industry Data Security Standard was updated last month in an unusual out of band revision that emphasizes just how important the PCI considers the changes it has made. The next revision wasn’t due until 2016. PCI DSS 3.1 delivers new requirements focused on what the PCI believes to be an ongoing risk to cardholder data security: SSL.
The essence of the revisions is blunt and to-the-point:
“SSL and early TLS cannot be used as security controls to protect payment data after 30 June 2016.”
If you follow online security news, the reasoning behind these changes should be clear. SSL and early versions of TLS have been implicated in a host of security vulnerabilities. They are no longer up to the task of keeping cardholder data secure. Exploits including the vicious POODLE vulnerability have demonstrated the weakness of SSL.
Although its weakness has been known for some time, the wheels of change move slowly in the enterprise and eCommerce worlds, and so many eCommerce retailers are still using the insecure protocols.
To clarify: although in common usage, the term “SSL” is used to refer to the whole process of securing communications between server and browser (and other applications), and the associated certificates are usually called SSL certificates, technically, SSL denotes a specific set of cryptographic algorithms that have been in use since the mid-90s and have long been superseded by TLS, the later versions of which are considered secure.
What Does PCI DSS 3.1 Mean For eCommerce Retailers?
The first thing to stress is that eCommerce retailers themselves are responsible for the security of cardholder data used in their store. If data leaks because the PCI DSS isn’t adhered to, it’s the retailer who will be held responsible — even if the failings are technically the fault of their hosting provider.
Retailers who use a managed hosting provider like Nexcess have relatively little to do to prepare for the new standards. It will be taken care of by the hosting provider, but because retailers are on the hook here, they should make sure that their eCommerce host is doing the right thing.
Retailers have until June 30, 2016 to comply, but that date should be regarded as a hard limit: the PCI expects retailers to begin the move towards compliance as soon as possible. At the very least, retailers using SSL and early versions of TLS are expected to immediately identify where they are using the weak cryptography and develop a plan for migrating to more secure TLS algorithms.
For full information about the changes PCI DSS 3.1 brings, eCommerce retailers can consult the PCI Council’s press release and their Summary of Changes from PCI DSS Version 3.0 to 3.1Posted in: eCommerce, Security