Eskenzi PR Eskenzi PR
  • About Us
Thursday, 22 April, 2021
IT Security Guru
Eskenzi PR
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

PCI council classifies SSL as "not acceptable for protection of data"

by The Gurus
February 17, 2015
in Editor's News
Share on FacebookShare on Twitter

The Secure Socket Layers (SSL) v3.0 protocol is no longer acceptable for protection of data due to inherent weaknesses within the protocol.
 
According to a bulletin from the PCI council on impending revisions to the PCI data security standard (DSS) and the payment application data security standard (PA–DSS), following The National Institute of Standards and Technology (NIST) identifying the Secure Socket Layers (SSL) v3.0 protocol as no longer being acceptable for protection of data due to inherent weaknesses within the protocol, the PCI council has said that no version of SSL meets PCI SSC’s definition of “strong cryptography”.
 
The security standards council said that revisions to PCI DSS and PA-DSS are necessary. “After working with stakeholders over the last several months to understand the impact to the industry, the Council will soon publish PCI DSS v3.1 and PA-DSS v3.1 to address this issue and provide other minor updates and clarifications,” a statement said.
 
“When published, PCI DSS v3.1 will be effective immediately, but impacted requirements will be future-dated to allow organisations time to implement the changes. For PA-DSS v3.1, the Council is also looking at how to address both future submissions and currently listed applications”.
 
The council said that in the interim, as there is no known way to remediate vulnerabilities inherent in the SSL protocol, the PCI Security Standards Council urged organisations to determine available options for upgrading to a strong cryptographic protocol as soon as possible.
 
The bulletin followed the January edition of the Council’s assessor newsletter, which confirmed that “no version of SSL meets PCI SSC’s definition of ‘strong cryptography’, and updates to the standards are needed to address this issue”, as reported by PCI Guru.
 
Speaking to IT Security Guru, Lancope CTO TK Keanini said that the problem is that clients and servers are not set up to negotiate, and so the danger is no one really understands what version is.
 
He said: “TLS was essentially the original version of SSL, that is all it was, and it comes down to implementation or math – one of them is going to have to fall. If the math is solid then someone’s implementation screwed up and I don’t know what makes the protocol itself weak, but I think the death nail was POODLE. The answer is whatever the flaw is in POODLE, the implementation is in the specification for SSL v3.”
 
John Smith, solutions architect at Veracode, said: “It is an accepted fact that SSL v3 is no longer secure, and that organisations should stop using it. However, many organisations have an existing application portfolio that includes applications and clients (e.g. browsers) which continue to depend upon it.
 
“Furthermore, our experience working with large enterprises suggests that most have an incomplete inventory of their application estate let alone knowing where SSL v3 remains enabled.
 
“For any organisation which intends to get a grip of this problem, the first step will be to understand both the extent of their application portfolio and also the prevalence of SSL v3 across the portfolio. This will allow informed decisions to be made about which applications should be upgraded and which should be retired to maintain an acceptable risk posture.”

0 0 vote
Article Rating
FacebookTweetLinkedIn
Tags: PCISSL
ShareTweetShare
Previous Post

$15 million – enough for the job of securing Sony?

Next Post

Hunting high and low

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

edgescan logo

PRODUCT REVIEW – Edgescan makes fullstack vulnerability management easy

April 21, 2021
The clubhouse app

Armis and UK’s Eseye partner to secure connected devices on any cellular network

April 20, 2021
Performanta acquires Identity Experts to bolster Microsoft IAM and security capabilities

Performanta acquires Identity Experts to bolster Microsoft IAM and security capabilities

April 20, 2021
AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

April 19, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept