Open Mobile Menu


SSL: Officially Dead (for PCI)

Views: 3251

Written By: Tony Fulda February 12, 2015

Recently, the PCI Security Standards Council (SSC) provided QSAs with a preview of some upcoming changes to the Data Security Standard (DSS) regarding the use of Secure Socket Layer v 3.0 (SSL) and its suitability for protection of payment card data; since then our team has been awaiting an official pronouncement to clarify the scope and impact of the proposed changes.

Here’s the latest based on an SSC bulletin released this morning:

  • The SSC, based on guidance from the National Institute of Standards and Technology (NIST), has determined that NO VERSION of SSL can meet the definition of “strong cryptography”, and SSL will no longer be acceptable for the transmission/protection of cardholder data. This is in response to the many cryptographic flaws that have plagued SSL in the recent past (POODLE, Heartbleed, etc.)
  • An update to the DSS (v 3.1) will be released in the near future to address this change, and a summary document will be released to explain and clarify the changes
  • Per the usual, the new Standard will be effective immediately, though there will be a grace period for organizations to implement the changes (deadlines TBD)
  • This will affect PA-DSS as well, though it is unclear whether currently listed applications using SSL will be grandfathered in, or what the timelines are for future payment applications to comply with the new Standard

These changes could have some profound (and potentially expensive) implications related to how many organizations protect data, but based on the current threat landscape retiring SSL is the right thing to do.  The SSC doesn’t make these types of changes/announcements without a great deal of thought: this one isn’t going away. 

That said, this is the best time to get ahead of the changes.  Review your current system/application architecture and dataflows to determine where you are using SSL, and then start researching your options to meet the new definitions of strong cryptography (check out NIST SP 800-57, NIST 800-52, and the SSC’s definitions of strong cryptography for guidance, or drop us a line if you need help).

Tony Fulda

Tony Fulda has over fifteen years of information technology, information system security and technology training experience, performing technical and enterprise risk assessments and consulting for clients in the higher education, hospitality, healthcare, service provider, and retail industries. As AppSec Consulting’s Managing Director of Strategic Advisory Services, Tony is responsible for driving the strategic direction of the assessment team and ensuring that AppSec Consulting’s clients receive exceptional service and maximum return on investment.

Tony has assisted hundreds of clients achieve their security and compliance goals through scope reduction, process improvement, and strategic technology integration.  He has led or participated in a multitude of remediation projects and has performed US-based and International Level 1 Report on Compliance audits for some of the largest organizations in the world.

read more articles by Tony Fulda