PCI Council Releases New Version of Payment Card Security Standard
The PCI Council normally releases a new version of the standard which governs merchants that accept credit cards once every three years. Given that version 3.0 came out in January, everybody thought they were safe for a while. Version 3.1 was released today and even though merchants have 14 months to become compliant, there is work that they have to do between now and June 2016 (see article).
SSL or secure sockets layer and its cousin TLS or Transport Layer Security are the underlying protocols that protect all of our credit card transactions, online and often in stores too. Unfortunately, there have been a number of major security issues with SSL and what they call the early versions of TLS (1.0 and 1.1 in particular). These problems caused the PCI Council to release version 3.1 so quickly after 3.0.
For most small merchants, they rely on a packaged system and while they are still required to be compliant, what that will mostly mean is asking their vendors to certify that they are compliant and use their evidence of that in the documentation the merchant creates to satisfy their credit card accepting bank.
In what is an unusual move for the PCI Council, merchants are prohibited from implementing new systems using these non-secure protocols, effective immediately.
This standard says that unless you can prove that your installation of SSL or early TLS is immune to all of the known attacks, current and future, you have to replace it with a secure version.
In addition you must document your plan to migrate away from SSL and early TLS and how you are going to mitigate the risk in the mean time.
While these moves are really required in order to keep consumers using their credit cards (i.e. to make sure that consumers are confident in the protections), it is still a major pain in the neck for businesses.
Also, the requirement that ALL businesses do penetration testing that was started in PCI 3.0 is clarified in PCI 3.1. For businesses, this is a king size pain in the tush because penetration testing (or pen testing) is significantly more complex (and hence expensive) than what most businesses were doing before, which is checking for known vulnerabilities.
Pen testing must be conducted from both inside the business and from the outside (Internet side) and it must cover the entire cardholder data environment, the controls that limit that environment and must use a recognized testing framework like NIST SP800-115. These requirements go into effect this July (see article).
All in all, this is a significant effort and while small merchants used to be exempted for some of these requirements, this is no longer the case. This likely will require specific technical expertise to be brought in or contracted for.