The PCI Security Standards Council issued a bulletin Friday saying that no version of the Secure Socket Layers (SSL) protocol for protecting Internet communications meets its definition of strong cryptography. Accordingly, the Council said it will soon revise versions 3.0 of its main Payment Card Security data-security standard and the companion Payment Application data-security standard to reflect that conclusion.
A spokesperson for the Wakefield, Mass.-based PCI Council was unavailable for comment Monday because of the Presidents’ Day holiday. But the bulletin appears to signal that use of SSL soon could be banned from payment card processing.
The bulletin says the federal National Institute of Standards and Technology (NIST) has identified version 3.0 of SSL “as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets [the PCI Council’s] definition of ‘strong cryptography.’”
What all that means is that revisions “are necessary” to the main PCI standard and the PA-DSS, which governs card-processing software, the bulletin says. The Council issued the bulletin “after working with stakeholders over the last several months to understand the impact to the industry,” according to the notice.
Merchants, processors and other entities subject to the PCI rules will have time to implement any required changes, according to the bulletin. Besides addressing SSL, the soon-to-be released versions 3.1 of the PCI-DSS and PA-DSS also will include minor updates and clarifications.
The impact of the coming action is unclear, but could be muted. That’s because security researchers have known for years about weaknesses in the SSL protocol, which dates back to 1994 and largely has been supplanted by the so-called Transport Layer Security (TLS) protocol. Netscape Communications, then known Mosaic Communications, created the first interactive Web browser, the Netscape Navigator, and along with it SSL to encrypt data going over the unsecured Internet.
“I think this is a positive step forward from a security perspective,” Julie Conroy, research director and data-security analyst at Boston-based Aite Group LLC, tells Digital Transactions News by email. “The flaws in SSL have been known for some time, and we’ve seen TLS succeeding it in Web sites and browsers alike. This will force any laggards still relying on SSL to upgrade their processes and eliminate their reliance on a technology with known vulnerabilities.”
Last September, three researchers at Google Inc. published a report identifying the latest problem with SSL, this one dubbed POODLE, for Padding Oracle On Downgraded Legacy Encryption. Essentially, this flaw could enable a client-server system protected by TLS to default to SSL in order to bypass interoperability bugs if older servers are involved, according to the research paper.
“[POODLE] downgrades to a lower encryption, which makes it crackable,” says Dallas-based data-security consultant Branden R. Williams.
There are indeed laggards still using SSL in payment processing. They include some value-added resellers (VARs) as well as virtual private networks (VPNs) that transport card data, according to Williams. “SSL is still pretty popular,” he says.
Williams says the PCI Council’s action “should have been done immediately after researchers made POODLE public, not so far after the fact.” But the Council is responsible for developing and updating card-security standards, not enforcing them—that’s the job of the general-purpose card networks. “There’s five competing card brands,” which means that “anything that requires changes” can take time, he says.