This may come as a surprise to many as the next release was not due anytime soon. PCI 3.1 will release in April 2015 in lieu of the vulnerabilities surrounding SSL such as the ‘Heartbleed’ (related to problems with implementation of the open source Open SSL), the ‘POODLE’ (intercepts secure Web communications), the ‘FREAK’ attack that (affected Microsoft Windows machines where an attacker was able to downgrade an encrypted SSL session, intercept and decrypt the traffic), and the most recent ‘Bar Mitzvah’ attack that (takes advantage of the outdated RC4 encryption used in several SSL/TSL deployments). The PA-DSS guideline will be updated as well.
“The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as not being acceptable for the protection of data due to inherent weaknesses within the protocol,” the Security Standards Council (SSC) said in its statement. “Because of these weaknesses, no version of the SSL protocol meets the PCI Security Standards Council (PCI SSC) definition of ‘strong cryptography.”
“Upgrading to a current, secure version of TLS, the successor protocol to SSL, is the only known way to remediate the SSL vulnerabilities which have been most recently exploited by browser attacks including POODLE and BEAST.”
Once released, this revision will be effective immediately. A statement quoted by a distinguished analyst with Stamford, Conn.-based research firm Gartner Inc. says, “It’s always too fast for the average company to absorb and for the vendors to comply with, but really, they have no choice.”
Need help understanding the implications to your business environment? Give Omega a call at 636-220-4436, or reach us online.