Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 11 June, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

PCI council classifies SSL as "not acceptable for protection of data"

by The Gurus
February 17, 2015
in Editor's News
Share on FacebookShare on Twitter

The Secure Socket Layers (SSL) v3.0 protocol is no longer acceptable for protection of data due to inherent weaknesses within the protocol.
 
According to a bulletin from the PCI council on impending revisions to the PCI data security standard (DSS) and the payment application data security standard (PA–DSS), following The National Institute of Standards and Technology (NIST) identifying the Secure Socket Layers (SSL) v3.0 protocol as no longer being acceptable for protection of data due to inherent weaknesses within the protocol, the PCI council has said that no version of SSL meets PCI SSC’s definition of “strong cryptography”.
 
The security standards council said that revisions to PCI DSS and PA-DSS are necessary. “After working with stakeholders over the last several months to understand the impact to the industry, the Council will soon publish PCI DSS v3.1 and PA-DSS v3.1 to address this issue and provide other minor updates and clarifications,” a statement said.
 
“When published, PCI DSS v3.1 will be effective immediately, but impacted requirements will be future-dated to allow organisations time to implement the changes. For PA-DSS v3.1, the Council is also looking at how to address both future submissions and currently listed applications”.
 
The council said that in the interim, as there is no known way to remediate vulnerabilities inherent in the SSL protocol, the PCI Security Standards Council urged organisations to determine available options for upgrading to a strong cryptographic protocol as soon as possible.
 
The bulletin followed the January edition of the Council’s assessor newsletter, which confirmed that “no version of SSL meets PCI SSC’s definition of ‘strong cryptography’, and updates to the standards are needed to address this issue”, as reported by PCI Guru.
 
Speaking to IT Security Guru, Lancope CTO TK Keanini said that the problem is that clients and servers are not set up to negotiate, and so the danger is no one really understands what version is.
 
He said: “TLS was essentially the original version of SSL, that is all it was, and it comes down to implementation or math – one of them is going to have to fall. If the math is solid then someone’s implementation screwed up and I don’t know what makes the protocol itself weak, but I think the death nail was POODLE. The answer is whatever the flaw is in POODLE, the implementation is in the specification for SSL v3.”
 
John Smith, solutions architect at Veracode, said: “It is an accepted fact that SSL v3 is no longer secure, and that organisations should stop using it. However, many organisations have an existing application portfolio that includes applications and clients (e.g. browsers) which continue to depend upon it.
 
“Furthermore, our experience working with large enterprises suggests that most have an incomplete inventory of their application estate let alone knowing where SSL v3 remains enabled.
 
“For any organisation which intends to get a grip of this problem, the first step will be to understand both the extent of their application portfolio and also the prevalence of SSL v3 across the portfolio. This will allow informed decisions to be made about which applications should be upgraded and which should be retired to maintain an acceptable risk posture.”

FacebookTweetLinkedIn
Tags: PCISSL
ShareTweet
Previous Post

$15 million – enough for the job of securing Sony?

Next Post

Hunting high and low

Recent News

Ransomware

Clop Ransomware Gang Extorts Household Names including BBC, British Airways and Boots

June 9, 2023
code

Developers Kept Away From Coding, Estimated £10.4bn a Year Wasted

June 8, 2023
large open office, bright.

Employees Feel 10 Times Calmer in an Environmentally Friendly Office Space

June 7, 2023
Blue Logo OUTPOST24

Outpost24 Acquires EASM Provider Sweepatic

June 7, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information