PCI Security Standards Council to boot out insecure SSL protocol
News / PCI Security Standards Council to boot out insecure SSL protocol come June
22 May 2018
The PCI Security Standards Council has asked all e-commerce platforms and those carrying out transactions online to migrate from existing SSL/early TLS protocols to a more secure TLS v1.2 or higher, stating that SSL/early TLS are no longer considered secure forms of encryption for payment card data.
The PCI Security Standards Council has set 30th June as the deadline for organisations to migrate from insecure SSL protocols to more secure ones not only because the proposal has been repeatedly postponed since 2015, but also because hackers are increasingly exploiting holes in SSL security to carry out cyber attacks on firms.
For instance, in its latest Cyber Threat Report for 2018, network security firm SonicWall noted that hackers used obfuscation techniques like encrypting their malware payloads to circumvent traditional security controls to great effect last year.
Using this technique, they enjoyed a great advantage over organisations that did not have SSL decryption capabilities in place. The firm predicted that in 2018, firms lacking SSL decryption capabilities could face up to 900 file-based attacks per year hidden by TLS/SSL encryption.
Why SSL needs to go
SSL (Secure Socket layer) is an encryption system that protects the privacy of data exchanged by a website and the individual user. It is used by websites whose URLs begin with https instead of http. Even though it has been succeeded by Transport layer security (TLS), it continues to be used by a large number of organisations.
“Because of its widespread use online, SSL/early TLS has been targeted by security researchers and attackers. Many serious vulnerabilities in SSL/early TLS (e.g. POODLE, BEAST, CRIME, Heartbleed) have been uncovered over the past 20 years, making it an unsafe method for protecting sensitive data,” the PCI Security Standards Council said.
“Online and e-commerce environments using SSL/ early TLS are most susceptible to these vulnerabilities and should be upgraded immediately. E-commerce merchants are also encouraged to implement a customer communication strategy to educate their customers about the dangers of using outdated browser software and the risk this poses to customer data,” it added.
Commenting on the announcement by the Council, Ilia Kolochenko, CEO of web security company High-Tech Bridge said that this is a very clear and straight-forward message by PCI DSS to merchants that no further protraction will be tolerated.
“Previous leniance and postponed deadlines were likely caused by technical difficulties to fully eliminate SSL and early TLS, often residing in un-updatable devices or within complicated cloud infrastructure. Sanctions for non-compliance may be severe, thus all merchants who process credit card shall urge to check all their systems,” he added.
Why is being PCI DSS compliant so difficult?
The Council has also published PCI DSS version 3.2.1 which all organisations will be required to adopt by 30th June. “This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in 3.2, as well as the migration dates for SSL/early TLS. It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data,” said PCI SSC Chief Technology Officer Troy Leach.
It remains to be seen how many organisations will be able to migrate to the new security standard by the end of June as PCI DSS compliance has always been a topic of concern. In August last year, Verizon’s 2017 Payment Security Report revealed that just 55.4% companies assessed were fully PCI DSS compliant at interim validation, indicating that nearly half of stores, hotels, restaurants, practices and other businesses were still failing to maintain compliance from year to year and were also failing to pass on the advantages of using of a certified and secure system to customers.
The report noted that a major reason behind the low PCI DSS compliance among businesses was the acute shortage of skilled IT personnel with the required domain knowledge and experience.
“We know it isn’t just about buying the right technology but instead about people and processes. To be efficient, a business needs to have proficiency in IT security. We realise that they have IT security teams without experts in the company and this is a matter of great concern to us. For example, in financial institutions, in the last 2 years, IT security teams have grown by between 100-200% and they are primarily made up of web developers and system administrators. These people do not have a security background. The level of proficiency needed is just not available in the market,” said Gabriel Leperlier, head of Continental Europe Advisory Services GRC/PCI.
“The need for IT security experts is acute right now. Teams have to be able to analyse what’s going on just by looking at systems. They should be able to detect an attack during early stages- whereas a system admin will see two printers talking to each other, a security expert will see one printer scanning the other for information.
“Although initial cost may be expensive, staying compliant is not difficult. Being compliant is more about processes than money. We have some small companies who have been compliant for years and use payment service providers whereas some big ones fail. It is not about the size of the company.
“Secure transmission of customer data on an open network like the internet or wifi network is critical to being certified as compliant. Businesses need to secure it end to end. Companies who are finding it difficult to adapt need to remember that they need to do so not because of the technicality but because they need to provide people with the same level of security across all their channels,” he added.