PCI SSC deems SSL v3.0 protocol no longer acceptable

On Feb., 13, 2015, the PCI Security Standards Council issued a follow up to its Jan. 30 Assessor newsletter. The bulletin indicated the PCI SSC will publish a revision to the Payment Card Industry (PCI) Data Security Standard (DSS) and its Payment Application (PA) -DSS v3.0 in the near future. The revision will address a "few minor updates and clarifications and one impacting change." The impacting change pertains to the Secure Sockets Layer (SSL) v3.0 protocol, which the council said contains inherent weaknesses that prevent it from fitting the definition of "strong" cryptography. Thus it is not PCI compliant.

Following is the bulletin, which the PCI SSC asked recipients to share with business partners and customers:

PCI SSC bulletin on impending revisions to PCI DSS, PA-DSS

13 February 2015

To ensure the continued strength and integrity of PCI Standards for payment data protection, the Council has ongoing processes for monitoring threats and vulnerabilities and for updating the standards as necessary. The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary.

After working with stakeholders over the last several months to understand the impact to the industry, the Council will soon publish PCI DSS v3.1 and PA-DSS v3.1 to address this issue and provide other minor updates and clarifications.

When published, PCI DSS v3.1 will be effective immediately, but impacted requirements will be future-dated to allow organizations time to implement the changes. For PA-DSS v3.1, the Council is also looking at how to address both future submissions and currently listed applications. A summary of changes document for each standard and FAQs will accompany the release of the revised standards to help clarify the impact of these changes.

In the interim, as there is no known way to remediate vulnerabilities inherent in the SSL protocol, the PCI Security Standards Council urges organizations to work with your IT departments and/or partners to understand if you are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.

Additional Resources

Further details are provided in the following:

• NIST SP 800-57: Recommendation for Key Management – Part 1: General (Revision 3)

• NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.