PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates
Posted by David Gamey on 10 Mar 2015.
The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they will be detailing several clarifications and changes to requirements. One of the major changes that will be included in v3.1 is that all versions of SSL are no longer considered acceptable as “strong cryptography”. The bulletin from the council states that adherence to PCI DSS v3.1 and PA-DSS v3.1 standard will be immediate with future-dated requirements to allow organizations time to implement changes.
As of this date, the PCI Council has not released the revised version of the standard. In the meantime, you may hear speculation regarding the content and on dates when requirements or technologies such as SSL will be considered non-compliant. As with all changes to the PCI standards, once we have the official details from the council and can review their guidance then we will be able to properly ascertain the impact to our customers and provide the best options to support their ongoing compliance.
While browsers, web servers, and similar applications are most at risk, a decision to deprecate all SSL equally would have farther reaching impact including imbedded devices and payment terminals. Until we learn more, we recommend that organizations begin planning now and be prepared to prioritize any remediation plans.
Based on the details in the bulletin, we recommend you review the current SSL technology used in your environment. This technology may be in place for compliance with particular requirements such as 4.1 (transmission over public networks) and requirement 2.3 (remote administrative access) or to limit scope. When reviewing the various technologies, you may need to consult with vendors, solution providers, or subject matter experts to confirm that you are leveraging more secure protocols. We recommend trying to leverage the most current versions of TLS available (TLS 1.2 and 1.1 as of this writing, TLS 1.0 should be avoided) and to implement new versions as they become available. We also recommend prioritizing the selection of stronger versions of TLS over weaker ones to reduce risk.
Below are the PCI Council bulletin and the referenced NIST standards
- The bulletin from the PCI SSC can be found here.
- NIST SP 800-57: Recommendation for Key Management – Part 1: General (Revision 3)
- NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)
We have already assisted several clients with vulnerability analysis of several non-browser based SSL wrapped protocols.
We will provide updates and analysis as more information becomes available.