Still Using SSL? You’re No Longer Compliant with PCI

It’s well-known that the SSL (Secure Sockets Layer) protocol, the security technology that establishes an encrypted link between a web server and a browser, is the source of many recent vulnerabilities, including POODLE, Heartbleed, and FREAK, and the facilitator of many recent cyber-attacks. As a result, best practices recommend that companies turn off SSL and move to the far more secure TLS (Transport Layer Security) protocol.

So while I may not have been Shellshocked (pun intended, of course), I was still surprised by the speed at which the PCI Security Standards Council took steps to respond to the problem – especially since the council is a somewhat regimented organization, not typically known for its agility, and version 3.0 had only recently come into full effect.

Yet in the face of the growing number of SSL vulnerabilities, the Council uncharacteristically released version 3.1 of its PCI-DSS outside of its typical release schedule, in April 2015. Moreover, it made its requirements effective immediately, instead of giving merchants a grace period to comply.

PCI-DSS 3.1 states that SSL no longer meets the PCI Council’s definition of “strong cryptography” and requires companies to replace it with later versions of TLS. Merchants are prohibited from implementing new technology that relies on SSL and early versions of TLS (1.0 and 1.1). And as of June 30, 2016, merchants are no longer allowed to use SSL and early versions of TLS in any way as standalone security controls to protect payment data. And until they transition over, merchants are required to have a risk mitigation and transition plan.

Other than the obvious need to move away from these insecure technologies, why is this so important? Because with the 3.1 anyone who hasn’t yet implemented the new requirements is effectively now incompliant with PCI-DSS!

The good news is that the fix is pretty easy to implement, and basically requires reconfiguring the web services settings and restarting the web server. Moreover, the fix will not likely disrupt any business services. So if you haven’t done it already, I strongly suggest you do it now!