Following various high-profile encryption protocol vulnerabilities, the PCI Security Standards Council has published an out-of-schedule update to the PCI Data Security Standards (PCI DSS) and Payment Application Data Security Standard (PA-DSS).
Versions 3.1 of the PCI DSS and PA-DSS were effective on publication —15 April 2015
and 1 June 2015 respectively. This marks a change for the Council, which usually publishes revisions to the standard every 3 years.
Recent well-publicised encryption flaws have made it easier for attackers to compromise website security and capture sensitive customer data for criminal gain, electronic surveillance and so on. Attacks such as Heartbleed, Poodle, Feast and Beast use man-in-the-middle style techniques to compromise encryption levels. All these attacks exploit security vulnerabilities in Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) protocols.
The National Institute of Standards and Technology (NIST) has identified that SSL and early versions of TLS (version 1.0 and in some cases version 1.1) no longer constitute ‘strong cryptography’. Naturally this has had a direct impact on the PCI DSS and PA-DSS.
“We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data. The PCI Standards development process allows us to do this based on industry and market input,” said Stephen Orfei, general manager, PCI SSC.
“With PCI DSS 3.1 and supporting guidance we are arming organisations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk.”
PCI DSS version 3.0 will be retired on 30 June 2015. SSL and early TLS cannot be used as security controls to protect payment data after 30 June 2016.
As for PA-DSS, new application submissions to PA-DSS 3.0 will be accepted until 31 August 2015. Those awaiting validation against PA-DSS 3.0 have until 30 November 2015 to complete this process. The expiry date for payment application listings validated to PA-DSS 3.1 is 28 October 2019.