The Secure Socket Layer (SSL) protocol developed by Netscape and the Transport Layer Security (TLS) protocol standardised by the Internet Engineering Taskforce (IETF) are encryption protocols that provide authentication and data encryption. Developed in the early 1990s, SSL is the predecessor of TLS and has undergone several revisions over the past few years to address security vulnerabilities and support stronger, more secure cipher suites and algorithms. Among the most important ones are SSL 3.0 (1996), TLS 1.0 (1999), TLS 1.1 (2006) and TLS 1.2 (2008).
Many organisations today still use the early versions of the protocol (<TLS 1.1). In this case, PCI DSS previously required organisations to implement a “risk mitigation” and a “migration plan” in order to maintain PCI DSS compliance. These include the following requirements:
| Requirement 2.2.3 | Implement additional security features for any required services, protocols, or daemons that are considered to be insecure. |
| Requirement 2.3 | Encrypt all non-console administrative access using strong cryptography. |
| Requirement 4.1 | Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. |
The PCI SSC (Security Standards Council) has set 30 June 2018 as the deadline, after the expiration of which NONE of the early versions of the protocol may any longer be used in the context of the above requirements in order to be PCI DSS compliant. This applies to all versions prior to TLS 1.1.
The PCI SSC wants to take action against known exploits such as POODLE or BEAST, which exploit the vulnerabilities associated with the early protocol versions.
This rule can only be circumvented by using point of interaction (POI) terminals and proving that the terminals in use, including the termination points to which they connect, are not susceptible to known exploits.
(Source: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls)
About the PCI Expert Tips:
With our PCI Expert Tips, we would like to keep you informed about changes to the PCI Security Standards and provide you with initial explanations as to what the changes entail and how they may affect you. Please always take our articles only as a general reference – they do not replace individual case-by-case evaluations.
Should you have any questions or need assistance with your scope definition, please contact us. Our specialists are happy to help you,
+49 6102 8631-190
sales@usd.de
