SSL No Longer Considered Strong Cryptography
Author: Viviana Wesley, PCI QSA
In a recent bulletin the Payment Card Industry Security Standards Council (PCI SSC) stated that updates will be forthcoming to the Data Security Standard (DSS) version 3.0 – and very soon. The change is related to vulnerabilities seen with Secure Socket Layer (SSL) cryptography.
The National Institute of Standards and Technology (NIST) no longer views Secure Sockets Layer (SSL) v3.0 protocol being acceptable for protection of data due to inherent weaknesses within the protocol.
Thus no version of SSL meets the PCI SSC definition of ‘strong cryptography’ and they will be addressing this with revisions to the PCI DSS and the PA-DSS. The PCI SSC will soon publish PCI DSS v3.1 and PA-DSS v3.1 to address this issue as well as some other minor updates and clarifications. The new versions of the standards will be effective immediately when released.
So what does that mean for you? If you’re still using SSL, you’ll need to start implementing Transport Layer Security v1.1 or later, better known in information security circles as TLS, and do so immediately. Once the PCI SSC releases their updated versions, organizations that are using SSL will no longer be in compliance. All organizations, regardless of level, will be held to this new standard. Interested in more information on PCI v3.0? Download our PCI v3.0 Guide.