14
Aug
2015
It has now been over a month since the Payment Card Industry Data Security Standard (PCI DSS) 3.0 as officially retired on June 30.
In part 1 of this series on PCI DSS 3.1 migration, we noted that version 3.1 was swiftly introduced in April 2015 as a response to major security flaws discovered in open source SSL, and the exploits – including Heartbleed, Shellshock and POODLE – that targeted the vulnerabilities. The flaws enable man-in-the-middle attacks and enabled attackers to read supposedly secure, authenticated encrypted communications. Consequently, the PCI Council branded SSL and TLS 1.0 as “vulnerable protocols” in the new version of its security standard.
Those who are required to comply with PCI DSS have a grace period of June 30 2016, but any new deployments that utilize SSL or early versions of TLS are now prohibited.
Please see post #1 in this series (LINK) to view best practice risk-mitigation controls for environments currently using vulnerable protocols.
Online merchants need to develop a migration plan to move from SSL to the latest version of the Transport Layer Security protocol now, and also ensure any payment apps using SSL are updated. Here’s how to manage your migration.
Migrating from SSL and Early TLS
Your best resource for managing this upgrade can be found in the PCI SSC guide “Migrating from SSL and Early TLS” from which the information below is based.
Here is a basic outline of steps to follow while planning your migration from SSL/Early TLS to a secure protocol:
- Identify all system components and data flows relying on and/or supporting the vulnerable protocols
- For each system component or data flow, identify the business and/or technical need for using the vulnerable protocol
- Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need
- Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented
- Document a migration project plan outlining steps and timeframes for updates
- Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment
- Perform migrations and follow change control procedures to ensure system updates are tested and authorized
- Update system configuration standards as migrations to new protocols are completed
- The NVD rating of the vulnerability
- The ASV’s rating of the vulnerability
- Why the ASV disagrees with the NVD rating
