Delaying PCI 3.1: Time to Dance the Compliance and Security Waltz

Image

The recent announcement from the Payment Card Industry Security Standards Council (PCI SSC) that it will be moving the PCI 3.1 deadline to June 2018 – giving an extra 24 months – caught my attention and reminded me of the ongoing dance between compliance and security. From a compliance and operational standpoint, the new deadline gives organizations more time to identify, remove and replace the non-compliance protocols adequately. Fair enough. From a security perspective, however, this change puts your organization at great risk, potentially enabling hackers to simply waltz their way into your systems over the next two years. Ultimately, we need compliance and security to partner up and waltz together if we are to counter those threats.

Consider the Risk and Impact

Let’s take a closer look at what’s behind the 3.1 encryption requirements. The PCI Council announced the PCI 3.1 standard back in April 2015 with an original adoption date of June 2015. PCI 3.1 essentially requests that organizations remove Secure Socket Layer (SSL) and earlier versions of Transport Layer Security (TLS) protocols, given their inherent security weaknesses, as well as that they will not implement new assets with those protocols. So what’s the risk? To provide some context, SSL/TLS encrypts a channel between two endpoints (for example, between a payment system and database) to provide privacy and reliability of data transmitted over the communications channel. Well, after 18 years, those encryption algorithms have begun demonstrating certain weaknesses, such as CVE-2014-3566, a man-in-the-middle (MITM) vulnerability. Google discovered this critical flaw in SSLv3; the issue can allow an attacker to extract secret information from inside an encrypted transaction. Interestingly, in their QA, PCI SSC stated:

"The new date of June 2018 offers additional time to migrate to more secure protocols, but waiting is not recommended. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached."

There are no known methods to remediate vulnerabilities like POODLE. In light of this, the revised mandate offers you wiggle room, BUT it is well noted there is high risk for not switching now. SSL has been around for a while and it is widely deployed, so the impact of not switching over soon could be significant. The consequences might not affect just security, either. Modern web browsers will begin prohibiting SSL connections in the very near future, a configuration change which will prevent users (employees, customers, etc.) from accessing web servers that have not migrated to a more modern protocol. This will be quite disruptive if IT teams do not address migration proactively.

What to do?

Clearly, organizations must not wait and should prioritize what assets and systems need to migrate to PCI 3.1 immediately. Systems with highly sensitive data, online or e-commerce servers, or servers with core functions seem to be the likely candidates. To assist with this process, the PCI SSC provided some guidance in a recent webinar on migration strategies, noting there are some environments – like Point of Sale (POS) or Point of Interaction terminals – that do not have the same level of vulnerability because some of them do not exhibit browser-like behavior that attackers can leverage. Though POS systems are key targets for credit card scraping and other POS malware, it's best to be prudent and protect them anyway. As an experienced PCI provider, we at Tripwire can help you identify and prioritize your PCI 3.1 efforts. But don’t take our word for it. We had an independent lab examine how they would view Tripwire products in a PCI 3.1 audit to make sure we’re helping our customers effectively. Download this white paper, authored by UL Transaction Security, to find out more. _{Title image courtesy of ShutterStock}