Revisions to PCI DSS | PA DSS 3.0
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that credit card information is maintained in a secure environment. In January of 2014 the PCI Data Security Standard 3.0 became effective, raising the bar for security by encouraging a structured and continuous approach, and urging businesses that process, store or transmit credit card information to be compliant.
In order to ensure the integrity of the PCI Standards, the PCI Security Standards Council (SSC) updates the standards through an ongoing process. The PCI SSC Council released a statement on February 13, 2015 announcing impending revisions to the Payment Card Industry Data Security Standard (PCI DSS) as well as the Payment Application Data Security Standard (PA-DSS). The PCI SSC has determined that the Secure Sockets Layer (SSL) protocol is no longer an acceptable solution for the protection of data based on their definition of “strong cryptography.”
The PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.0 defines strong cryptography:
Cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key-management practices.
The PCI SSC intends to publish the PCI DSS 3.1 and PA DSS 3.1 in the near future, in order to address the SSL issue. There is no indication of when both PCI DSS 3.1 and PA-DSS 3.1 will be published, but when they are published the standards “will be effective immediately.” Due to the complexity of detecting all implementations of SSL, there will be a grace period before the requirements are enforced.
As a PCI Qualified Security Assessor (QSA) and Authorized Scanning Vendor (ASV), Herjavec Group is committed to improving organizations’ overall security strategy, through compliance with the PCI DSS and PA-DSS. Before the new standards are released, there is no known way to remediate vulnerabilities inherent in the SSL protocol. However, the first step in each organization’s resolution of the SSL issue should be to create inventory* of all types and counts of systems that are using SSL. Each organization will likely have its own SSL story.
Once the types and counts of all impacted systems are determined, Herjavec Group will work with existing clients to ensure compliance with the PCI DSS 3.1.
Further details and best practices are provided in the following:
- NIST SP 800-57: Recommendation for Key Management – Part 1: General (Revision 3)
- NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)