Earlier this year, the PCI Security Standards Council officially released PCI DSS 3.1 only months after its predecessor (version 3.0) came into effect. With a typical three-year period between standard revisions, the out-of-band update caught many off guard, especially organizations still in the process of complying with the changes from the previously established data security standard. Although 3.0 was officially retired late last month, retailers are given a reasonable time to adhere to the new requirements. However, merchants are urged to begin addressing the changes promptly, as the latest PCI DSS version aims to remediate encryption-related vulnerabilities known to actively impact retail networks. The updated standard addresses inherent vulnerabilities identified by the National Institute of Standards (NIST) within the Secure Sockets Layer (SSL) encryption protocol and early versions of Transport Layer Security (TLS) that can put customer payment data at risk.
“Upgrading to a current, secure version of Transport Layer Security (TLS), the successor protocol to SSL, is the only known way to remediate these vulnerabilities, which have been exploited by browser attacks, such as POODLE and BEAST,” the PCI SSC said in a statement.
The 3.1 update, which affects requirements 2.2.3, 2.3 and 4.1, now requires all new implementations use at least TLSv1.1, although entities are encouraged to consider TLSv1.2. In addition, existing implementations must accompany a formal migration and mitigation plan. All existing migrations must be completed by the June 2016 deadline. “Although PCI DSS 3.1 has a ‘sundown’ period that’s one year away, the council has made this revision effective immediately, and organizations that are still using these protocols are required to have risk mitigation and migration plans in place,” said Tripwire’s Ken Westin, Sr. Security Analyst.
“This means retailers need complete visibility into where these protocols are in their environments, as well as what versions and encryption strengths are being used, and they should begin the migration process as soon as possible.”
“The fact that the PCI Council is specifically calling out technologies as insecure is significant, because in the past, the council has relied on the QSA’s personal awareness and knowledge of which encryption methods are sufficient", said Adrian Sanabria, senior security analyst for 451 Research. As a former QSA, Sanabria adds that gaps are often identified between the encryption settings or protocols people believed were enabled, and those that were actually in use. The POODLE vulnerability in the SSL version 3 protocol, which came to light in October of last year, puts retailers at risk, as it potentially allows attackers to conduct a man-in-the-middle attack and extract data from secure HTTPS connections. The PCI Council noted that modern web browsers will begin prohibiting SSL connections in the near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol. In an effort to help entities plan their migration to a secure alternative, the PCI Council outlined these suggested steps (PDF):
- Identify all system components and data flows relying on and/or supporting the vulnerable protocols
- For each system component or data flow, identify the business and/or technical need for using the vulnerable protocol
- Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need
- Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented
- Document a migration project plan outlining steps and timeframes for updates
- Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment
- Perform migrations and follow change control procedures to ensure system updates are tested and authorized
- Update system configuration standards as migrations to new protocols are completed
Tripwire customers are offered comprehensive platform and policy support for PCI DSS version 3.1 requirements in both Tripwire Enterprise security configuration management and Tripwire IP360 vulnerability management. Click here for more information about Tripwire's PCI DSS solution.