The governing body behind the Payment Card Industry Data Security Standard has confirmed that the next version...
of the mandate will be released in just a few weeks, which could spark a scramble by merchants trying to implement the surprise update.
In a press release FAQ posted to its website last week, the PCI Security Standards Council (SSC) announced that it will publish PCI DSS version 3.1 in April, to be followed shortly thereafter by a revision to the payment system's PA-DSS guideline.
The SSC quietly announced last month that inherent weaknesses in the SSL version 3.0 protocol, commonly used by applications to encrypt the transmission of sensitive payment data, would require an unscheduled update to PCI DSS. Normally updated at three-year intervals, PCI DSS isn't due for a scheduled update until fall of 2016; PCI DSS 3.0 was released in November 2013.
The impending 3.1 update is largely a reaction to the wave of recent vulnerabilities affecting the integrity of the depreciated SSL protocol, as well as its newer cousin TLS. These include the infamous Heartbleed flaw in some OpenSSL implementations, the POODLE flaw that compromises legacy (but still commonly used) SSL 3.0 implementations, and the FREAK attack that enables attackers to intercept and decrypt SSL traffic in some applications, including Windows.
Plus, just last week, Imperva Inc. researchers discovered what's being called the Bar Mitzvah attack, which exploits the outdated RC4 encryption algorithm that is still commonly used in many current SSL/TLS deployments.
According to the SSC, the changes in PCI 3.1 will affect all requirements that reference SSL as an example of what it calls "strong cryptography," which in its glossary of terms is defined as "cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key-management practices."
"The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as not being acceptable for the protection of data due to inherent weaknesses within the protocol," the SSC said in its statement. "Because of these weaknesses, no version of the SSL protocol meets the PCI Security Standards Council (PCI SSC) definition of 'strong cryptography.'"
Regarding specific mandates that will be affected by the upcoming PCI DSS changes, the SSC referenced Requirements 2.2.3 (encryption for VPNs, NetBIOS, file sharing, Telnet, FTP and similar services), 2.3 (encryption for Web-based management and other non-console administrative access) and 4.1 (encryption of cardholder data during transmission over open, public networks).
"Upgrading to a current, secure version of TLS, the successor protocol to SSL, is the only known way to remediate the SSL vulnerabilities which have been most recently exploited by browser attacks including POODLE and BEAST," the SSC said in its statement.
Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based research firm Gartner Inc., said the release of PCI DSS 3.1 is not only being expedited incredibly quickly, but will also catch many merchants by surprise.
"Our clients are just starting to come to grips with PCI DSS 3.0, which became effective in January, so it's unusual to see an update so soon," Litan said. "[The SSC] must've seen some big holes in the implementations out there that led them to rush out an update like this."
Litan said becoming compliant with the changes in PCI DSS 3.1 may prove particularly difficult for merchants because while some use of SSL, such as in databases or products that encrypt data at rest, may be under direct control of merchants, other SSL use may not be.
"It depends where the encryption is used, but if it's in the [point-of-sale] system, they don't have control," Litan said. "It'll be up to their POS vendors, and they'll have to work with their vendors to implement the updated encryption."
Once it is released in April, PCI DSS 3.1 will be effective immediately, but the SSC said updated requirements will be future-dated to provide merchants with time to implement the changes before being assessed against them. How much time those organizations will receive, however, remains unclear.
Litan said it's hard to imagine how the rush to implement PCI DSS 3.1 won't be a fire drill for merchants.
"It's always too fast for the average company to absorb and for the vendors to comply with," Litan said of the PCI DSS update cycle, "but really, they have no choice."
Worse yet, Litan admitted that because even the most recent version of TLS, version 1.2, is considered flawed, it's unclear whether the new encryption mandates put forth in PCI DSS 3.1 will effectively address all the vulnerabilities and known exploits that exist with SSL/TLS and specific types of encryption implementations.
"I think it really just illustrates the cat-and-mouse game that exists today," Litan said. "It's almost impossible to keep up with all these vulnerabilities, but you do the best you can.
"You're never going to be able to stop them completely," Litan added, "but the idea is to make the criminals' life harder so they'll go attack someone else."