PCI DSS and the End of SSL

PCI DSS

  • What is PCI DSS?
  • Requirements for Compliance
  • SSL Now Unacceptable Security for PCI DSS
  • Your Solid Compliance Partner

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is the most widely recognized standard for organizations that take payments online via credit and debit cards. It was developed collaboratively in 2004 by American Express, Discover, MasterCard, and Visa. The real incentive for those companies was to prevent online fraud that could threaten people’s ability to use payment cards safely on the Internet, but PCI has the added benefit of making identity theft less likely for consumers.

Requirements for Compliance

There are six basic intentions of the PCI standards, all of which seek to strike a balance between strong security and convenience – with primary focus on the former.

  1. The network should be completely secure.

Firewalls should be deployed. In the case of wireless LANs, specially designed firewall should be used, since those networks are high-risk for spying and breaches by cybercriminals.

“In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors,” explained tech writer Margaret Rouse. “Customers should be able to conveniently and frequently change such data.”

  1. Payment data should be safeguarded in storage.

All data that relates to individuals should be safeguarded against unauthorized access in storage. This type of data includes birthdates, Social Security numbers, answers to password retrieval questions, ZIP Codes, and phone numbers. It should be encrypted using established industry standards prior to transmission.

  1. Anti-malware definitions should be kept current.

Anti-malware applications, such as programs defending against viruses and spyware, should be updated whenever new patches become available. In that manner, the software can be kept safe from bugs and weaknesses that could lead to compromise.

  1. Access to the data should be limited.

Companies should only request information from consumers on a “need to know” basis – in other words, when it’s necessary to conduct the transaction or verify identity. Each user of the system should have their own ID name or account number, and both hardcopy and digital protection should be maintained.

“Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the trash,” said Rouse.

  1. Networks should be monitored and reviewed.

Monitoring of the network should be continual, with periodic vulnerability assessments to confirm that security mechanisms are working adequately. No security software should ever be outdated. Anti-malware software must check incoming and outgoing information, applications, memory, and storage devices often – persistently if possible, to meet the persistent threat of malicious hackers.

  1. A policy for data security should be developed.

Organizations must strictly enforce the policy, with sanctions when its parameters are ignored.

SSL Now Unacceptable Security for PCI DSS

PCI DSS 3.0 was retired on June 30, 2015. That’s major news because of what’s replacing it.

PCI DSS 3.1 was released in April after multiple, devastating vulnerabilities were found in open source versions of SSL such as OpenSSL. In the new version, secure sockets layer (SSL) and early versions of transport layer security (TLS) are no longer acceptable for safeguarding payment information.

SSL is now considered unacceptable for new deployments. For systems that are currently deployed, companies have until June 30, 2016, to upgrade.

“The update means online merchants will have to switch off SSL in web servers and support the latest version of the Transport Layer Security protocol,” said info security journalist Phil Muncaster. “Bricks and mortar stores will also need to pay attention, especially if they have any payment apps using SSL that may need updating.”

The National Institute for Standards and Technology (NIST), the nonregulatory body that establishes standards for the US government, instructed all agencies to switch to TLS 1.2.

The rapidfire release of this new version of PCI DSS, closely following the January 1 issuance of version 3.0, shows how grave the exploit potential within SSL currently is.

It is now possible with outdated, less sophisticated security technologies such as SSL for attackers to access interactions between client and server, according to Venafi security VP Kevin Bocek. “[O]rganizations must identify use of SSL/TLS, plan a remediation strategy and move to the secure protocols, encrypt data before transmission, or apply additional layers of transmission security that are not vulnerable, such as IPSEC,” he explained.

Bocek additionally commented that both IT vendors and general businesses should know that this quick adaptation is the new normal. They should be prepared to adapt rapidly when any further exploits are discovered in the months and years ahead.

Your Solid Compliance Partner

The security landscape continues to evolve, and recent high-profile hacks (such as the multiple-month invasions of Anthem, Sony Pictures, and the US State Department) reveal the complexity of the advanced persistent threat. You want a cloud provider that goes above and beyond PCI DSS standards.

Furthermore, we all want more than just security: we want cloud performance to meet strict standards as well. That’s why all our cloud servers are Passmark-rated.

Do you want a cloud VM that typically delivers four times the performance of virtual servers with similar specs from AWS and SoftLayer? Then make your cloud Superb.

By Kent Roberts

More from Jerry Whitehead

Building Risk-Awareness into the FISMA-Compliant Cloud (Part 1)

FISMA compliance requires ongoing monitoring that adapts as the threat landscape evolves....
Read More
Loading Facebook Comments ...
Loading Disqus Comments ...

Leave a Reply