Notice of PCI DSS 3.1 Unexpected Update

Posted by Joe Musitano on Apr 29, 2015 11:29:30 AM

bigstock-Keyboard-Illustration-Complian-63179506In the article “PCI DSS 3.1 set for April 2015 release, will cover SSL vulnerabilities,” Tech Target announced the following that we felt important to share with our subscribers regarding PCI DSS 3.1, which was published a few days ago. PCI DSS 3.0 is scheduled to retire on June 30, 2015:

The governing body behind the Payment Card Industry Data Security Standard has confirmed that the next version of the mandate will be released in (April), which could spark a scramble by merchants trying to implement the surprise update.

In a press release FAQ posted to its website (late March), the PCI Security Standards Council (SSC) announced that it will publish PCI DSS version 3.1 in April, to be followed shortly thereafter by a revision to the payment system's PA-DSS guideline.

The SSC quietly announced last month that inherent weaknesses in the SSL version 3.0 protocol, commonly used by applications to encrypt the transmission of sensitive payment data, would require an unscheduled update to PCI DSS. Normally updated at three-year intervals, PCI DSS isn't due for a scheduled update until fall of 2016; PCI DSS 3.0 was released in November 2013.

The impending 3.1 update is largely a reaction to the wave of recent vulnerabilities affecting the integrity of the depreciated SSL protocol, as well as its newer cousin TLS. These include the infamous Heartbleed flaw in some OpenSSL implementations, the POODLE flaw that compromises legacy (but still commonly used) SSL 3.0 implementations, and the FREAK attack that enables attackers to intercept and decrypt SSL traffic in some applications, including Windows.

According to the SSC, the changes in PCI 3.1 will affect all requirements that reference SSL as an example of what it calls "strong cryptography," which in its glossary of terms is defined as "cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key-management practices."

"The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as not being acceptable for the protection of data due to inherent weaknesses within the protocol," the SSC said in its statement. "Because of these weaknesses, no version of the SSL protocol meets the PCI Security Standards Council (PCI SSC) definition of 'strong cryptography.”

Regarding specific mandates that will be affected by the upcoming PCI DSS changes, the SSC referenced Requirements 2.2.3 (encryption for VPNs, NetBIOS, file sharing, Telnet, FTP and similar services), 2.3 (encryption for Web-based management and other non-console administrative access) and 4.1 (encryption of cardholder data during transmission over open, public networks).

"Upgrading to a current, secure version of TLS, the successor protocol to SSL, is the only known way to remediate the SSL vulnerabilities which have been most recently exploited by browser attacks including POODLE and BEAST," the SSC said in its statement.

Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based research firm Gartner Inc., said the release of PCI DSS 3.1 is not only being expedited incredibly quickly, but will also catch many merchants by surprise.

"Our clients are just starting to come to grips with PCI DSS 3.0, which became effective in January, so it's unusual to see an update so soon," Litan said. "[The SSC] must've seen some big holes in the implementations out there that led them to rush out an update like this."

Litan said becoming compliant with the changes in PCI DSS 3.1 may prove particularly difficult for merchants because while some use of SSL, such as in databases or products that encrypt data at rest, may be under direct control of merchants, other SSL use may not be.

"It depends where the encryption is used, but if it's in the [point-of-sale] system, they don't have control," Litan said. "It'll be up to their POS vendors, and they'll have to work with their vendors to implement the updated encryption."


Solupay follows PCI Compliance changes closely, and through our managed PCI Compliance and dedicated support, we are ready to work with you on any concerns.  We are, however, very familiar with our existing client's environment and are confident that our customers comply, but if you have any questions, call your dedicated relationship manager at 888.SOLUPAY.  If you are not an existing Solupay client, and would like more information on PCI Compliance, Contact us today to learn more, or download our FAQ on PCI Compliance.

Download our PCI Compliance FAQ

Topics: PCI