PCI Releases DSS 3.1, Puts Expiration on Weak Encryption

As was recently announced by the Payment Card Industry (PCI) in the Data Security Standard (DSS) version 3.1, SSL and early TLS will no longer be accepted as strong cryptography come June 30, 2016. Effective immediately is the outlaw of installing new technology that uses SSL or early TLS. With the exposed vulnerabilities FREAK and POODLE, PCI has published an updated DSS earlier than expected, implementing strict enforcements to avoid the potential damage done by these vulnerabilities.

In an attempt to strengthen security for all merchants and credit card users, PCI has set this deadline with the expectation that every user will update their technology to comply within the fourteen-month period, and that no outdated technology will continue to be = from this point forward.

What You Need to Know

The Data Security Standard 3.1 made three updates to version 3.0. The main distinction in this version is that SSL and early TLS (1.0 and 1.1) are not considered strong encryption. When these requirements call for strong encryption, they mean SSH, S-FTP, TLS, or IPSec VPN.

PCI DSS Requirement 2.2.3 states that additional security features, such as SSH, S-FTP, TLS or IPSec VPN, must be used to secure services such as NetBIOS, file sharing, Telnet, FTP, etc. All technology must be updated by June 30, 2016. Current technologies that continue to deploy SSL and early TLS up until the deadline will need to have a formal Risk Mitigation and Migration Plan in place.

PCI DSS Requirement 2.3 states that all non-console administrative and web-based management access must use strong cryptography, such as SSH, VPN, or TLS.

PCI DSS Requirement 4.1 states that payment card technology must utilize strong cryptography and security protocols to protect sensitive cardholder data during transmission over open, public networks (including the Internet, wireless technologies. Cellular technologies, GPRS, and satellite communications).

What You Need to Do

Although the deadline for a complete migration to strong cryptography is not until June 30, 2016, PCI DSS 3.1 does call for a formal Risk Mitigation and Migration Plan for all devices that will not be immediately upgraded. According to the PCI Security Standards Council, this plan should include:

  • Description of usage, including what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment
  • Risk-assessment results and risk-reduction controls in place
  • Description of processes to monitor for new vulnerabilities associated with SSL/early TLS
  • Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments
  • Overview of migration project plan including target migration completion date no later than June 30, 2016.

How Real-Time Vulnerability Scanning Can Help

In addition to creating a plan and preparing for migrating to strong cryptography, admins should also take it upon themselves to identify all certificates currently in use. Utility tools like DigiCert Certificate Inspector™ allow users to have real-time analysis of their certificate inventory and security configurations. Identifying the certificates in your network will allow users to ensure that all certificates comply with the recent PCI requirements and to make updates where necessary. Certificate Inspector™ also allows admins to scan for vulnerabilities, testing the configurations for possible errors, and providing solutions to remediate errors.

For more information on PCI DSS 3.1 please see the updated standards here.