During the second half of 2014 some of the largest organizations in the world have faced a series of attacks that caused severe damage to their business, their image and the privacy of their customers. Vulnerabilities like P.O.O.D.L.E., Heartbleed and Shellshock have focused the attention of PCI community on the most recent release of PCI DSS and PA DSS version 3.0. A review of the version 3.0 is currently being prepared by the PCI Council in order to address these weaknesses.


Why does the version 3.0 need to be reviewed?

The PCI SSC (Payment Card Industry Security Standard Council) is continuously monitoring threats and vulnerabilities with the goal of keeping the security standards up to date.

The PCI Council has worked together with other security industry stakeholders and over the last months tried to understand the impact of the newly discovered vulnerabilities.

The National Institute of Standards and Technology (NIST), one of the most important stakeholders, has identified the SSL (Secure Socket Layers) - a protocol meant to establish encrypted communication between a server and a client - as no longer acceptable for data protection and privacy protection.

Due to the weaknesses of this security protocol, there are currently no versions of SSL able to provide a "strong cryptography". This is why a revision of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) is now necessary.

What kind of solution do we expect from the upcoming version 3.1?

Looking at one of the last publications from the NIST we can read that:

"The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration."

This means that the problem is located in the way the information is encrypted when "cyber travelling" from a client to a server, such as from a browser to a web server or even from a mail server to a mail client. The tools that we use communicate and transact every day, can potentially harm our privacy.

The solution that we should expect, and that has been largely discussed by the industry experts over the last months, is the drop of SSL in favour of the TLS 1.2 protocol (latest release). The SSL and the Transport Layer Security (TLS) are both security protocols, they both are a "mechanisms to protect sensitive data during electronic dissemination across networks”. The TLS 1.3 is currently being created; the goal is to add extra measures to avoid exploitation and mitigate encryption related issues.

How is the switch to version 3.1 going to happen?

To ensure the continuity across the payment card industry, the PCI Council expects that the PCI DSS 3.1, once published, will be effective immediately. At the same time, the new requirements will need some time to be implemented and the PCI SSC will give some time to allow organizations to look into the new requirement and implement the changes.

Considering that there is no known way to address the weaknesses discovered in the SSL protocol, it is strongly recommended to all the organizations that handle payment cards, customers cardholder data and privacy, to discuss the problem with their IT experts and look into the possibility to switch to a strong cryptographic protocol, such as TLS, as soon as possible.

An additional resource for the most attentive and patient readers can be found here NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)

Do you already know if you are vulnerable to the P.O.O.D.L.E.? Check if you are P.O.O.D.L.E. vulnerable.

Keep your eyes open for PCI DSS Compliance

Advantio is a qualified PCI Compliance Assessor (QSA).

Follow our Security Blog to learn more about how the new version of the DSS Standard will look like.

Stay in touch with us to understand how, once released, the upcoming PCI and PA DSS version 3.1 will impact your business and how to keep on monitoring your compliance.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA