News

SSL no longer acceptable for data protection, PCI SSC says

Weaknesses in the secure socket layers protocol will require revisions to the PCI DSS — and upgrades to providers' encryption methods.

February 17, 2015

The PCI SSC has announced that no version of secure sockets layer technology meets its definition of "strong cryptography," which will necessitate the council to revise its PCI Data Security Standard and Payment Application Data Security Standard.

According to a PCI press release, the announcement stems from a finding by the National Institute of Standards and Technology that the Secure Socket Layers v3.0 protocol is no longer acceptable for protection of data due to inherent weaknesses within the protocol.

The council said that following its work with stakeholders over the last several months, it will publish PCI DSS v3.1 and PA-DSS v3.1 to address this issue and provide other minor updates and clarifications.

Once published, PCI DSS v3.1 will be effective immediately, however, affected requirements will be future-dated to allow organizations time to implement the changes.

For PA-DSS v3.1, the council is also looking at how to address both future submissions and currently listed applications. A "summary of changes" document for each standard and FAQs will accompany the release of the revised standards to help clarify the impact of these changes, the council's announcement said.

As there is no known way to remediate vulnerabilities in the SSL protocol, the PCI SSC is urging organizations to work with IT departments and partners to determine whether they are using SSL and what options they have for upgrading to a strong cryptographic protocol as soon as possible.

Further details are provided in the following documents:

NIST SP 800-57: Recommendation for Key Management – Part 1: General (Revision 3)

NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)