Problems With PCI-DSS Compliance – And How to Correct Them

Many companies are required to adopt SSL and early TLS to comply with the Payment Card Industry-Data Security Standard (PCI-DSS). These companies are all too aware of the many issues that have plagued implementations. For instance, if you haven’t heard of high-profile vulnerabilities such as HeartBleed, Poodle, FREAK, and LogJam you must have been living under a rock. So, how can these vulnerabilities be mitigated moving forward? 

Companies that must remain PCI-DSS compliant have been forced to scramble and protect their external-facing systems to ensure the safety of their customer data and to avoid the next big hit. These vulnerabilities are the result of problems with SSL and early TLS protocols.

What Is the Risk?

SSL and TLS provide data reliability and privacy by encrypting the channel between endpoints. Beginning with SSL 3.0, protocol vulnerabilities have been popping up right and left, many of which allow attackers to access and extract data from supposedly secure connections. These types of man-in-the-middle attacks allow attackers to decrypt otherwise encrypted SSL v3.0 messages, meaning customer and credit card data are not safe. The problem became so widespread that as of April 2014, the government deemed SSL unapproved for protecting federal information. No clearer message is needed: SSL is not safe for data transmission, especially personally identifiable information such as credit card data.

What Should You Do?

The PCI Security Standards Council (PCI-SSC) updated the PCI-DSS to v3.1 in April 2015, requiring businesses to upgrade from SSL and early TLS by June 30, 2016. With that date passed, the best option is to move toward a more mature encryption protocol, such as TLS v1.2. If configured properly, TLS v1.2 can provide the security necessary for PCI-DSS compliance and security best practices.

To learn more information about secure TLS configurations, refer to NIST SP 800-52 rev 1. Or consult a cybersecurity professional at Security Pursuit to ensure your organization has a risk mitigation plan in place and tested.