The Wakefield, Mass.-based PCI Security Standards Council (PCI SSC) revised its Payment Application Data Security Standard (PA-DSS) to address vulnerabilities in encryption protocols that primarily affect web servers and browsers that drive payment terminals.
PA-DSS 3.1 aligns with the recent release of PCI Data Security Standard 3.1, which primarily addressed vulnerabilities in the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. With this revision and supporting guidance, the Council urges organizations to understand if and how their payment applications are using SSL and upgrade to a secure version of TLS.
“The vulnerabilities are so concerning that the PCI Security Standards Council went against their standard release process and made an interim change to the PA-DSS standard,” Brad Cyprus, chief of security and compliance at the Houston-based Netsurion (formerly VendorSafe), a provider of secure networks, said. “The life cycle for the standards is supposed to be three years, but the issues with SSL (and early TLS) were so great in the opinion of the PCI Security Standards Council that they made this drastic move to address what they believed to be an immediate threat to the payment landscape.”
If exploited, the vulnerability can jeopardize payment-card data security. The only known way to remediate SSL vulnerabilities to POODLE and BEAST is to upgrading payment applications and systems to a minimum of TLS 1.1 (the successor protocol to SSL).
POODLE (Padding Oracle On Downgraded Legacy Encryption) attacks let a man in the middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. The BEAST (Browser Exploit Against SSL/TLS) attacks the confidentiality of a HTTPS connection in a short amount of time.
“The council works closely with the payment security community on any changes made to the PCI Standards,” PCI SSC Chief Technology Officer Troy Leach said. “This update falls in line with our mission of pushing for the best security as soon as possible, while empowering organizations to take a pragmatic, risk-based approach to protecting their data.”
There have been many vulnerabilities found in all versions of SSL and early versions of TLS (which superseded SSL), Cyprus pointed out. No patch or remediation can fix most issues. In particular, POODLE can intercept data transmitted via SSL or early TLS.
The primary change to PD-DSS, along with some housekeeping issues and clarifications, has to do with removing SSL and an early version of TLS from the standard as examples of secure protocols. New installations are only supposed to use TLS 1.1 or 1.2 moving forward, and existing installations have until June 30, 2016 to migrate to the new standard.
From an operations standpoint, this means that merchants, who have software or payment terminals that use SSL/early TLS, must upgrade the equipment to support later versions of TLS. In some cases, this will not be a simple matter, points out Cyprus. Merchants can determine their software upgrading needs in a few ways. Their POS resource will have to educate them and convince them to spend the money on an upgrade within a year. Considering the millions of merchants who accept credit cards, this is a herculean task, he said.
Furthermore, explains Cyprus, some standalone payment terminals, which are completely hardware-based and have their operating systems written on their internal chips, might not be able to support SSL.
“Again the merchant may not have any way to determine if their device is vulnerable or not,” Cyprus said. “This would once again require the merchant to be contacted by the person who supports their terminal, educate them on the change to the standard, and convince them to spend the money to upgrade.”
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
