PCI DSS v3.0 will be retired. Many companies are still unaware that they have a sunset date of 30 June 2016 for PCI DSS 3.1 compliance, any new projects must not use SSL and early TLS as security controls to protect payment data. Please find comment below from Kevin Bocek, Vice President Security, Strategy and Intelligence at Venafi.
Kevin Bocek, Vice President Security, Strategy and Intelligence at Venafi :
“In April 2015, PCI DSS version 3.1 was published to address vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. Basically, TLS is dead. Long live Transport Layer Security (TLS). Starting today, new projects must not use SSL or early Transport Layer Security (TLS).
After a slew of vulnerabilities, from Heartbleed to POODLE, the PCI Security Standards Council (PCI SSC) determined that all versions of SSL and early versions of TLS could no longer be relied upon to protect cardholder data. SSL and TLS could allow attackers to perform man-in-the-middle attacks and read what was thought to be authenticated encrypted communications. As explained in the PCI SSC guide ‘Migrating from SSL and Early TLS’ organisations must identify use of SSL/TLS, plan a remediation strategy and move to the secure protocols, encrypt data before transmission, or apply additional layers of transmission security that are not vulnerable, such as IPSEC. This migration must be performed by 30 June 2016 to comply with the PCI DSS 3.1.
With the increasing number of vulnerabilities and attacks involving SSL/TLS and cryptographic keys and digital certificates, the PCI is reminding organisations that they need to be ready to respond and remediate quickly. Future scenarios may require much shorter remediation time frames and require not just changes to configurations, but also replacement of cryptographic keys and digital certificates, much like with Heartbleed.
Finding all keys and certificates, determining what should be trusted and not, and automatically replacing and responding to vulnerabilities are important steps in preparing for a future where more encryption will be used and more vulnerabilities and attacks are certain.”
[su_box title=”Kevin Bocek, Vice President Security, Strategy and Intelligence at Venafi” style=”noise” box_color=”#336588″]
Kevin Bocek is responsible for security strategy and threat intelligence at Venafi. He brings more than 16 years of experience in IT security with leading security and privacy leaders including RSA Security, Thales, PGP Corporation, IronKey, CipherCloud, nCipher, and Xcert. He is sought after for comment by the world’s leading media such as Wall Street Journal, New York Times, Washington Post, Forbes, Fortune, BBC, Süddeutsche Zeitung, USA Today, Associated Press, Guardian, and Telegraph along with security press including SC Magazine, Dark Reading, and Network World.[/su_box]