On the 13th of February, the PCI Security Standards Council confirmed the pending release of a new version of security standards for Merchants due to increasing cyber attacks.
“When the council delivers PCI 3.1 this month it will call for merchants to change the common Secure Socket Layer, or SSL, protocol between a server and client to a more secure version of Transport Layer Security, or TLS.” – says Payment Source.
Vendors are trying to spread the word quickly of the upcoming update even before knowing the exact requirements of PCI 3.1.
Known Cyber attacks such as Heartbleed, Shellshock and Poodle have brought to light the leaks in the Security Socket Layer or SSL. This may mean a new protocol established by the federal government encryption standards.
What does this update mean for Merchants? E-commerce merchants will need to configure their web servers to now work with Transport Layer Security, TSL, and no longer support SSL. Brick and Mortar businesses may need to completely update their payment applications, says Don Brooks, senior security engineer for Chicago –based Trustwave.
Merchant updating for the EMV shift this coming October may be able to update their Point of Sale for PCI 3.1 at the same time as the EMV updates are made.
For most vendors, this will not be a problem and should be a quick fix. But for some, there may be an issue to deal with, or a configuration change or coding a solution that could take some time.” – Brooks says.
“Certificate” is the technical term for a package that contains encryption and identity information about a site’s operator. Essentially, the certificate verifies the site operator and that the operator is the only entity that can read information from a site visitor.
“The certificates ride on top of the protocol, so the only change that needs to be made is just in how the servers and systems are configured to make sure they don’t support older, non-secure cyphers,” Brooks said.
“The damage [from SSL] may already be done,” said Ulf Mattsson, chief technology officer at data security provider Protegrity. “Though new software is inevitable, waiting for better software is not an option.”
While a move to TLS 1.1 may resolve the server connection vulnerabilities for a time, it is far better for organizations to address “proactive security of the data itself,” Mattsson said.
“By tokenizing or encrypting sensitive data at the point of creation or acquisition, it can be made useless to potential thieves, even in memory,” Mattsson added.
Still, there is “no perfect answer to fix years of exposure,” Mattsson said. Moving forward, merchants and other organizations need to adopt security solutions that can reduce the risk even if Web protocols are vulnerable.
Compared to SSL, the TLS protocol uses stronger encryption algorithms and has the ability to work on different ports. In its first version, TLS was used mostly as a setting in e-mail programs, but it serves a similar role in any client-server transaction.
The PCI Council is behind the protocol change “in a big way,” said Al Pascual, senior analyst for Javelin Strategy & Research. Still, it is likely that new attacks will continue to prompt updates and changes to Web protocols, he added.
“The merchants have to make this upgrade,” Pascual said. “When criminals compromise data at the point of sale after EMV is properly deployed, they can’t use that data to make a counterfeit EMV card, so they will start focusing on breaching e-commerce merchants instead.”