Just When You Thought You Had A Handle On PCI-DSS 3.0

As I mentioned in a previous post, PCI-DSS 3.0 (Payment Card Industry Data Security Standard) came into effect on January 1.

PCI-DSS 3.1 is on now its way, thanks to vulnerabilities like P.O.O.D.L.E.Shellshock, and Heartbleed.

The PCI SSC (Payment Card Industry Security Standards Council) continuously monitors threats and vulnerabilities in order to keep the security standard up to date.

The National Institute of Standards and Technology has identified SSL (Secure Sockets Layer) – a protocol meant to establish encrypted communication between a server and a client – as no longer acceptable for data protection.

Due to the inherent weaknesses of this security protocol, there are currently no versions of SSL with the ability to provide strong cryptography. This is why an updated version of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) is necessary.

According to NIST, “The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration.”

The problem lies in the way the information is encrypted when being transmitted from a client to a server.

The solution is the dropping of SSL in favor of the TLS 1.2 protocol. SSL and the Transport Layer Security (TLS) are both mechanisms to protect sensitive data during electronic dissemination across networks. TLS 1.3 is currently being developed; the goal is to add extra measures to avoid exploitation and mitigate encryption-related issues.

To ensure the continuity across the payment card industry, the PCI Council expects that the PCI DSS 3.1, once published, will be effective immediately. That being said, the new requirements will need some time to be implemented and the PCI SSC will give some time to allow organizations to look into the new requirement and implement the changes.

Considering that there is no known way to address the weaknesses discovered in the SSL protocol, it is strongly recommended that all organizations that handle cardholder data look into the possibility of switching to a strong cryptographic protocol, such as TLS, as soon as possible. There are a number of ways to do this for WindowsLinux, and FreeBSD servers and clients.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.