The Payment Card Industry Security Standards Council (PCI SSC) released an update to its vulnerability standards and is giving merchants until June 2018 to migrate their security protocols, even though waiting is not recommended.
Security Sockets Layer (SSL) and some Transport Layer Security (TLS) encryption protocols have held known vulnerabilities for many years. Following a slew of high-profile breaches caused by POODLE, Heartbleed and Freak, the PCI SSC took action in April 2015, mandating that all SSL and early TLS be replaced with new technology by before June 30, 2016. That date, at least for merchants, has been postponed until June 30, 2018.
The PCI SSC has released several statements regarding this migration extension. In total, the revisions state:
Because virtually all ecommerce websites are SSL/TLS-enabled for cryptography, they are at highest risk from SSL/TLS vulnerabilities. Other applications that likely use SSL/TLS are:
The PCI Council reported that, as of November 2015, there were still 200,000 vulnerable devices on the Internet, which is likely what led to this deadline extension.
You could contact your terminal providers, gateways, service providers, vendors, and acquiring bank to determine if the applications and devices you use have the updated encryption protocol. However, a much easier, more thorough, and less time-consuming option would be to conduct a penetration test on all of your systems to find any known vulnerabilities.
If you’re using an existing implementations of SSL and early TLS and you need to continue using it, you must have a Risk Mitigation and Migration Plan in place. Some key points to consider before implementing new software and hardware are:
Read news item from the PCI Council. For more information, call Omega ATC at 636-557-7777.