Merchants, e-commerce businesses, B2B retailers and many other organizations are very familiar with the Payment Card Industry’s Data Security Standards. According to SC Magazine, PCI DSS was first developed in 1999 by Visa in order to prevent – or at least attempt to mitigate – the over $750 million losses seen by MasterCard and Visa from the late 1980s until the inception of PCI DSS 1.0.
Since 1999, PCI DSS has gone through several iterations, with PCI DSS 3.0 being the most recent. Businesses are currently scrambling to implement new cybersecurity systems and payment processing platforms in order to adhere to the new version of requirements once it becomes absolutely mandatory on June 30, 2015.
Pay attention: New standards
With the PCI DSS 3.0 deadline looming over the heads of many business leaders and merchants, the PCI Security Standards Council published PCI DSS Version 3.1. While many of the revisions are minor updates and mere clarifications to past requirements, this newest standard directly addresses cybersecurity vulnerabilities within the Secure Sockets Layer encryption protocol. The council noted that SSL security protocol is currently putting payment card data at risk, and therefore PCI DSS 3.0 will be retired on June 30, 2015. As of right now, PCI DSS 3.1 is effective, and SSL cannot be used to protect payment data after June 30, 2016.
“In this case, the Secure Sockets Layer protocol is broken, and unlike many of the vulnerabilities we see out there, there’s no patch to fix it,” Troy Leach, CTO of the PCI Security Standards Council, told eWEEK. “This combined with its widespread use makes it a critical vulnerability and one that organizations need to address immediately.”
An inherent weakness
As the PCI Security Standards Council reported, the National Institute of Standards and Technology issued an update to its standards some time ago, noting that SSL and early versions of TLS were no longer to be considered strong encryption. The current, more secure TLS is a successor to SSL, and NIST identified TLS as the only way to remediate vulnerabilities, such as the POODLE and BEAST browser attacks.
According to the source, Leach explained that there is simply an inherent weakness when SSL security protocol is used to protect payment card data as it travels over public channels. Therefore, every organization that wants to adhere to the most up-to-date PCI DSS version must disable the use of SSL as soon as possible, replacing it with a secure protocol such as TLS.
Prior to June 30, 2016, organizations with existing implementations of SSL or early TLS must create formal risk mitigation and migration strategies, and the PCI Security Council will provide assistance for those plan formulations in the form of recommendations and SSL protocol alternatives.
There is good news, however. The new PCI DSS regulations state that as long as point-of-sale systems are verified as “not being susceptible to all known exploits for SSL and early TLS,” they can still be used as cybersecurity controls after the date passes next year. This means that the new standards will not impact any current plans, as cutting-edge security platforms have abandoned SSL in the recent past.
According to eWEEK, the next planned update for PCI DSS is in November 2016. However, Leach implied that if it’s necessary to update the cybersecurity standard before that date due to the ever-evolving nature of threats, another revision could be released at any time between now and then. As evidenced by this recent news, the PCI Security Standards Council does not want to leave any stone unturned.
While new PCI DSS standards generally throw retailers and merchants for a loop, the step away from SSL and toward more secure data transfer protocols will impact the industry for the better in the long term.