by Viviana Wesley PCI QSA, ISO 27001 Auditor – Managing Consultant, Governance & Compliance Services
Cyber security is a moving target. The technology and policies that kept users, devices and data safe at one time are eventually compromised at some point by the growing skills of cyber criminals and technology itself. This is one of the reasons security standards such as PCI DSS (Payment Card Industry Data Security Standard) are moving targets as well. Things never remain stationary in a world that is digitally transforming itself and security standards would not be relevant unless they dynamically changed along with the world.
Although proper attention to new compliance standards does require added work and expense, it is more than worth it in order to avoid the risk of a data breach that could destroy the reputation and financial viability of your business.
One of the primary security mechanisms used to secure data both at rest and in transit is encryption. Encryption is essential and in many cases required so that data that may be compromised is useless in the hands of an unauthorized perpetrator without the decryption key. Encryption technology has grown more robust over the years in order to combat hacking tools and methodologies. There is even a fear that in the not so distant future, computers that are readily available to the public will be able to decrypt even the most rigorous of encryption standards in real time. This will essentially make encryption as we know it today obsolete.
The Details PCI DSS version 3.2
Fortunately, cryptography is still a very relevant and effective method of protecting your data today, but only if you utilize the latest versions and standards. The PCI Security Standards Council (PCI SSC) in PCI DSS v3.2 is requiring that all versions of SSL and TSL version 1.0 must be disabled. In order to be PCI DSS compliant you must be utilizing TLS 1.1 at a minimum, (although TLS 1.2 is highly recommended). This mandate was originally slated for implementation by 2016 but due to the burdensome impact to organizations, the PCI SSC extended the timeline to June 30, 2018. The PCI DSS applies to all organizations receiving credit card payments for goods and/or services (merchants) and any third party service providers for PCI DSS merchants.
What is SSL and TLS?
The purpose of SSL and TLS is to encrypt data traveling between two endpoints, such as a web browser and a web server. SSL or Secure Sockets Layer has been around for more than 20 years and many people refer to all web encryption protocols as SSL but TLS or Transport Layer Security is actually a separate protocol. TLS v1.0 was released in 1999 and was designed to supersede SSL v3.0, which was beginning to show vulnerabilities. Since then, other vulnerabilities within SSL have been discovered, the most famous being in 2014 when a man-in-the-middle attack vulnerability called POODLE was discovered that made it possible for data to be decrypted and extracted while in transit. A few months later, a vulnerability was found in TLS v1.0 that allowed a hacker to mount a similar attack. Which means that neither of these cryptography methods can fully protect your data. For that reason, any version of SSL and TSL v1.0 must be completely disabled.
Are There Any Consequences for Disabling SSL and TSL v1.0?
There can be inconveniences to disabling these two vulnerable and outdated security protocols. The first is that users will not be able to interact with your site using HTTPS with any of the following older browsers:
- Firefox version 27 or lower
- Google Chrome version 29 and lower
- Google Android Browser version 4.4 or lower
- Internet Explorer version 10 and lower
- iOS 4 devices
- Safari version 8 or lower
In some cases, users can simply install a new web browser. Some however, will have to upgrade their operating systems or devices in order to accommodate a newer web browser that supports the newer encryption protocols. For instance, the minimum Microsoft client OS is Windows 7. The new compliance mandate also means that your server must support TLS v1.1 or higher . For Windows, this would mean Server 2008 R2 at the minimum. You will not have to replace your web certificates however, as they are not aligned with security protocol versions.
Recommendations beyond TLS 1.1
It is highly recommended that you use TLS v1.2 if possible as it will offer the maximum protection available today. If you are running devices using TLS v1.1, you should ensure that they are fully patched and up to date. Merchants who currently rely on their Service Providers to encrypt data in transit may already be utilizing TLS 1.2 as Service Providers were required to provide a secure service offering by June 30th of 2016. Of course, proper security entails more than simply disabling and enabling protocols. It is highly recommended that you work with a PCI QSA to ensure correct understanding and impact of the PCI DSS for your organization.