On the 18th December 2015 the Payment Card Industry Security Standards Council (PCI SSC) announced a change to the date by which organisations that process, store or transmit card holder data must migrate from SSL and TLS 1.0 to TLS 1.1 encryption or higher. The previous date of June 2016 was moved to June 2018.
The PCI SSC, the global authority and forum for the development of payment card security standards, made the announcement following significant feedback from the global PCI community and security experts.
The original deadline date for migration, June 2016, was set out in version 3.1 of the PCI Data Security Standard, (PCI DSS 3.1), and was published in April 2015. The new deadline will be included in the next version of the PCI Data Security Standard, which is expected later this year.
Stephen Orfei, General Manager, PCI SSC said: “Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks.”
Transport Layer Security (TLS) and its related protocol, Secure Sockets Layer (SSL) which was the de facto standard for over 20 years, implement cryptographic public and private key technology across networks. Typically, the protocols are used to secure communication between a browser and a server, securing PCI data.
The decision is seen by many as a U-Turn of quite significant proportions. 1996 saw the first public release of SSL 3.0; TLS 1.0, its successor appeared in 1999. However, both possess serious security flaws which could be exploited by fraudsters. This threat is regarded as serious by PCI SSC, a situation that led to a rushed decision to push through and implement the upgrade of the standard to TLS 1.1 by June 2016.
In hindsight this now seems to have been overly ambitious and unrealistic. It is also seen as embarrassing and makes the initial date for implementation of June 2016 seem like it was not properly thought through and a knee-jerk reaction to a serious issue.
The key vulnerability of SSL and early TLS is the ‘man-in-the-middle-attack’, where a hacker gains the ability to relay information, opening up the potential to substitute information for fraud or other criminal purposes. One example is the POODLE exploit.
Far more well know is the Heartbleed security bug disclosed in April 2014. This vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed.
According to the U.S. Department of Commerce agency NIST (the National Institute of Standards and Technology), there are no patches that adequately secure SSL or TLS, a conclusion it reached in February 2015. PCI SSC says: “It is critically important that organisations upgrade to a secure alternative as soon as possible, and disable any fall back to both SSL and early TLS.”
SSL and TLS remain in widespread use today, despite the security vulnerabilities and being deprecated by NIST in 2014. The new date of June 2018 offers additional time to migrate to more secure protocols, but waiting is not recommended. The existence of POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS run the risk of being breached.
For the Payment Card Industry, the situation with TLS/SSL only serves to reinforce the best advice for securing networks, protecting transactional data and ensuring the privacy of customer data:
Chris Scott – Programme Director