Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most commonly used encryption protocols and remains in widespread use today despite various security vulnerabilities exposed in the protocol in 2014.

Both are used to authenticate to access to systems and protect the confidentiality and integrity of information that passes between systems. In order to provide a secure site as a connection between users and website for credit card transactions.

SSL v3.0 was superseded in 1999 by TLS (Transport Layer Security) v1.0, which has since been superseded by TLS v1.1 and v1.2. To date, SSL and early TLS no longer meet minimum-security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important to upgrade to a secure alternative as soon as possible and disable any fall back to both SSL and early TLS.

It is known that having a business implemented in a vulnerable technology is a risk with a very high cost. Many companies rely on the implementation of secure communications technologies on which to base their services. Companies that have implemented secure protocols are favored against their competitors.

 

Deadline for migration SSL and TLS in PCI-DSS v3.2

 

In April 2015, SSL and early TLS have been removed as an example of strong cryptography in PCI DSS v3.1. For this reason, PCI-DSS version 3.2 has established a deadline for the migration of SSL and TLS, set on June 30, 2018. This offers additional time to migrate to more secure protocols, but waiting is not recommended. The existence of many exploits (POODLE, Heartbleed etc.) proves that anyone using SSL and early TLS risks being breached. All entities using SSL / early TLS as a security control should start to use only secure versions such as TLS1.2.

 

New and existing implementations

 

For all new implementations, the use of SSL or early TLS is not allowed. PCI refers to new implementations when it does not need to support a pre-existing use of a vulnerable protocol. Existing implementations are those where there is a pre-existing reliance or use of a vulnerable protocol(s). These implementations using SSL and early TLS can continue to work until the deadline is met.

Only the POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2018.
Details on the use of SSL and early TLS can be found in these PCI-DSS v3.2 requirements:

  • Requirement 2.2.3 requires implementing additional security on insecure protocols.
  • Requirement 2.2.3 requires implementing additional security on insecure protocols.
  • Requirement 2.3 requires encryption of all non-console connections
  • Requirement 4.1 requires the use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public network.

In addition, if a system has implemented SSL or early TLS still, it must complete the appendix A2. But remember after the deadline of June 30, 2018, PCI certification will not be approved at all when either SSL or early TLS are being used.

 

Recommendations to plan migration

 

We hope that we convinced you to finally migrate your SSL and early TLS. If so, then make sure to keep the following PCI recommendations and steps in mind to plan your migration:

  1. Identify all system components and data flows relying on and/or supporting the vulnerable protocols.
  2. For each system component or data flow, identify the business and/or technical need for using the vulnerable protocol.
  3. Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need.
  4. Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented.
  5. Document a migration project plan outlining steps and timeframes for updates.
  6. Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment.
  7. Perform migrations and follow change control procedures to ensure system updates are tested and authorised.
  8. Update system configuration standards as migrations to new protocols are completed.

This document specifically addresses requirements related to SSL and TLS. In general, systems may seem safe today, but tomorrow they will not. This is why administrators must continually learn about all of the known vulnerabilities and keep systems up-to-date, by deploying vendor-recommended configurations, patches and keeping the documentation current.

More information and tips on PCI DSS.

About the author:
Natalia Morando is a security professional in PCI and has over 12 years of experience.

Reference links:
PCI security standards
NIST
US-CERT