The PCI Security Standards Council (PCI SSC) recently published PCI Data Security Standard (PCI DSS) 3.1. The revision includes general updates and clarifications, but also addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.
PCI DSS 3.1 effective immediately. Merchants have about 14 months to nix flawed SSL and TLS protocols before version 3.0 is retired in June 2015. However merchants are prohibited from implementing any new technology that relies on SSL and TLS 1.0 starting immediately.
The move was prompted by an update to the National Institute for Standards and Technology (NIST) Special Publication 800-52, in which NIST stated that SSL and early TLS are no longer secure or strong encryption standards.
"At the Council we are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats and vulnerabilities," said PCI SSC General Manager Stephen Orfei in a statement. He stated that the vulnerabilities of within the SSL protocol present a risk to payment data and that the Council was dedicated to arming organizations with ways to address threats.
Experts, such as Don Brooks, senior security engineer with Chicago-based compliance and security services firm Trustwave Inc., are pleased that the PCI 3.1 gave merchants time to adapt to the change. Many have also, however, expressed concern that some merchants may not consider this as urgent situation, considering the 14 months transition period.
Troy Leach, the SSC's chief technology officer, stated that it was important to find a balance between providing reasonable timeframes for migration and impressing upon merchants how serious the issue actually is.
It's important for organizations to update their credit card payment software regularly to protect customers.