The Lowdown on this months PCI standards update.

Earlier this month the PCI Security Standards Council released an update to their standards. As of June 30, 2016 SSL and TLS versions 1.1 or lower will no longer be acceptable security controls (read all of the gory details here). E-commerce merchants must migrate to a more modern encryption protocol (at least TLS v1.2).

But what does it actually mean?

It means that businesses that need to comply with PCI (if you accept credit cards – I mean you) can’t use SSL and TLS version 1.1 encryption protocols to satisfy PCI requirements. Specifically requirements 2.2.3, 2.3 – these are the requirements that mandate encryption of cardholder data and sensitive information.

Do I use SSL and TLS?

Probably – yes.
SSL/TLS are some of the most widely used encryption protocols on the internet. Unfortunately, they are not perfect, a fact that has been highlighted a number of times in the past year (remember Heartbleed). It’s because of this that PCI is saying no, these can’t be used as your security control.

You can check which versions you are running here.
Another option is to run an ASV scan. It’s a requirement of PCI anyways, and it will help you identify if you are using the affected protocols.

What do I do about it?

Ultimately, you need to convert to TLS 1.2 protocol (at least) but your first step is to make a plan. If you can migrate to the more secure protocol by June 30, 2016 – great! If not, you must document why not, and build a risk mitigation and migration plan.

Here are the recommended steps from the PCI Security Standards Council

  1. Identify all system components and data flows relying on and/or supporting the vulnerable protocols
  2. For each system component or data flow, identify the business and/or technical need for using the vulnerable protocol
  3. Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need
  4. Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented
  5. Document a migration project plan outlining steps and timeframes for updates
  6. Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment
  7. Perform migrations and follow change control procedures to ensure system updates are tested and authorized
  8. Update system configuration standards as migrations to new protocols are completed

Source here

Overall PCI is saying that early SSL and TLS encryption protocols aren’t secure enough to protect credit card information, so e-commerce merchants should stop using them. If you can’t stop using them immediately, document why, and build a detailed plan that outlines how and when you will be able to upgrade.

We can help – Contact us if you’d like to schedule an ASV scan

Aisling McCaffrey

Demand Marketing Specialist at Thinkwrap
Aisling is our Demand Marketing Specialist at Thinkwrap, and loves working with both technology and humans. She studied International Business (concentrating in Marketing) and has spent several years living and working in China, mostly in Shanghai, where she became passionate about global innovation and how the use of social media changes in different cultures. Aisling likes to keep up on internet trends - from business to memes - and is always looking for new ways to learn or entertain herself.