SSL / TLS 1.0 Deadline for PCI DSS

22. January 2018

The Secure Socket Layer (SSL) protocol developed by Netscape and the Transport Layer Security (TLS) protocol standardised by the Internet Engineering Taskforce (IETF) are encryption protocols that provide authentication and data encryption. Developed in the early 1990s, SSL is the predecessor of TLS and has undergone several revisions over the past few years to address security vulnerabilities and support stronger, more secure cipher suites and algorithms. Among the most important ones are SSL 3.0 (1996), TLS 1.0 (1999), TLS 1.1 (2006) and TLS 1.2 (2008).

Many organisations today still use the early versions of the protocol (<TLS 1.1). In this case, PCI DSS previously required organisations to implement a “risk mitigation” and a “migration plan” in order to maintain PCI DSS compliance. These include the following requirements:

Requirement 2.2.3Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
Requirement 2.3Encrypt all non-console administrative access using strong cryptography.
Requirement 4.1Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

 
The PCI SSC (Security Standards Council) has set 30 June 2018 as the deadline, after the expiration of which NONE of the early versions of the protocol may any longer be used in the context of the above requirements in order to be PCI DSS compliant. This applies to all versions prior to TLS 1.1.
The PCI SSC wants to take action against known exploits such as POODLE or BEAST, which exploit the vulnerabilities associated with the early protocol versions.
This rule can only be circumvented by using point of interaction (POI) terminals and proving that the terminals in use, including the termination points to which they connect, are not susceptible to known exploits.
 
(Source: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls)
 
About the PCI Expert Tips:
With our PCI Expert Tips, we would like to keep you informed about changes to the PCI Security Standards and provide you with initial explanations as to what the changes entail and how they may affect you. Please always take our articles only as a general reference – they do not replace individual case-by-case evaluations.
 
Should you have any questions or need assistance with your scope definition, please contact us. Our specialists are happy to help you,
+49 6102 8631-190
sales@usd.de

Also interesting:

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

PCI DSS: PCI Council Releases SAQs for Version 4.0.1

PCI DSS: PCI Council Releases SAQs for Version 4.0.1

This week, the PCI Security Standards Council (PCI SSC) announced that it published the Self-Assessment Questionnaires (SAQs) for PCI DSS v4.0.1. [See the PCI SSC Bulletin] With the help of SAQs, eligible merchants and service providers can prove their compliance with...

Categories

Categories