Payment Application Developers On Notice: SSL Won't Cut It For PCI

The PA-DSS recent update continues the PCI Council's work to upgrade the payment ecosystem to more secure TLS encryption protocol. Here's what you need to know.

June 5, 2015

2 Min Read
Payment Application Developers On Notice: SSL Won't Cut It For PCI

By Ericka Chickowski 1

The PCI Security Standards Council continues gets tough on SSL. This week the council released updates to its Payment Application Data Security Standard (PA-DSS) for software developers of payment applications that urges them to upgrade from the less secure Secure Sockets Layer (SSL) encryption protocol to a secure version of Transport Layer Security (TLS). This PA-DSS version 3.1 comes in conjunction with the release earlier this year of the PCI Data Security Standard (PCI DSS) 3.1, which governs retailers entrusted with payment information, stating that SSL and early TLS are no longer acceptable protocols to protect payment data.

“The Council works closely with the payment security community on any changes made to the PCI Standards,” said PCI SSC Chief Technology Officer Troy Leach. “ This update falls in line with our mission of pushing for the best security as soon as possible, while empowering organizations to take a pragmatic, risk-based approach to protecting their data.”

While the PA-DSS requirements are effective immediately for payment application developers, PCI DSS is giving retailers until the end of June 2016 to sunset SSL and early TLS in existing system implementations. There is currently a short transition period for applications currently undergoing PA-DSS 3.0 validations—developers have until August 31 to get their applications in queue for validation under the old standards without worrying about the SSL/TLS requirements.

TLS must replace SSL

“Unlike PCI DSS, PA-DSS 3.1 requires software vendors to take prompt action with their payment applications. The removal of SSL and early TLS is required now,” warn Barry Johnson and Bill Serate, co-founders of consultancy Dara Security.

“It is also important to understand that having an application submitted under the PA-DSS 3.0 guidelines does not mean that support of SSL and early TLS is acceptable.  Based on our experience, the PCI SSC takes a firm stand on the removal of weaker protocols.  Since December 2014, the PCI SSC has required us to confirm that submitted applications utilize TLS 1.1 or later and use these protocols as a preference over SSL and early TLS.”

SSL’s shortcomings

Security experts have long warned of the shortcomings of the 20-year-old SSL protocol, which is still widely used to encrypt data transmissions between web servers and browsers. Last year the National Institute of Standards and Technology (NIST) identified the protocol as having inherent weaknesses.

This recommendation has come to the forefront in the last year as SSL has come under greater fire with the uncovering of a number of dramatic vulnerabilities and attacks such as Heartbleed, Shellshock and POODLE.

Read more about:

AgentsMSPsVARs/SIs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like