SSL / TLS 1.0 Deadline for PCI DSS

22. January 2018

The Secure Socket Layer (SSL) protocol developed by Netscape and the Transport Layer Security (TLS) protocol standardised by the Internet Engineering Taskforce (IETF) are encryption protocols that provide authentication and data encryption. Developed in the early 1990s, SSL is the predecessor of TLS and has undergone several revisions over the past few years to address security vulnerabilities and support stronger, more secure cipher suites and algorithms. Among the most important ones are SSL 3.0 (1996), TLS 1.0 (1999), TLS 1.1 (2006) and TLS 1.2 (2008).

Many organisations today still use the early versions of the protocol (<TLS 1.1). In this case, PCI DSS previously required organisations to implement a “risk mitigation” and a “migration plan” in order to maintain PCI DSS compliance. These include the following requirements:

Requirement 2.2.3Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
Requirement 2.3Encrypt all non-console administrative access using strong cryptography.
Requirement 4.1Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

 
The PCI SSC (Security Standards Council) has set 30 June 2018 as the deadline, after the expiration of which NONE of the early versions of the protocol may any longer be used in the context of the above requirements in order to be PCI DSS compliant. This applies to all versions prior to TLS 1.1.
The PCI SSC wants to take action against known exploits such as POODLE or BEAST, which exploit the vulnerabilities associated with the early protocol versions.
This rule can only be circumvented by using point of interaction (POI) terminals and proving that the terminals in use, including the termination points to which they connect, are not susceptible to known exploits.
 
(Source: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls)
 
About the PCI Expert Tips:
With our PCI Expert Tips, we would like to keep you informed about changes to the PCI Security Standards and provide you with initial explanations as to what the changes entail and how they may affect you. Please always take our articles only as a general reference – they do not replace individual case-by-case evaluations.
 
Should you have any questions or need assistance with your scope definition, please contact us. Our specialists are happy to help you,
+49 6102 8631-190
sales@usd.de

Also interesting:

PCI DSS v4.0 Release Postponed until March 2022

PCI DSS v4.0 Release Postponed until March 2022

Affected businesses and QSA organizations are eagerly awaiting the release of the final version 4.0 of the PCI Data Security Standard (PCI DSS). The PCI Security Standards Council (PCI SSC) now announced that the release will not be in Q4 2021 as previously planned....

usd AG Again Accredited as Worldwide Approved Scanning Vendor (ASV)

usd AG Again Accredited as Worldwide Approved Scanning Vendor (ASV)

"A few days ago we again received the worldwide accreditation as Approved Scanning Vendor (ASV) with our usd PCI DSS Platform and our ASV Scanning Services," Andreas Duchmann, Managing Director of usd AG, is pleased to announce. "This means that we have consistently...

Version 1.1 Extends Scope of Secure Software Standard

Version 1.1 Extends Scope of Secure Software Standard

The PCI Security Standards Council (PCI SSC) released version 1.1 of the Secure Software Standard and associated Program Guide last week. This standard is part of the PCI Software Security Framework and will completely supersede the previous payment application...

Categories

Categories