The Payment Card Industry Security Standards Council (PCI SSC) has moved to fix the security vulnerabilities in the Secure Sockets Layer (SSL) and early versions of the Transport Layer Security (TLS) protocols, exposed by both Heartbleed and Poodle, with an out-of-band updated release of PCI DSS v3.1.
This latest iteration of the PCI Data Security Standard, however, has split the IT security profession as it is less clear cut on how the 14 month transition window, giving merchants until the 30th June 2016 to rid their systems of these protocols as standalone payment data protection controls, on what merchants must do in the meantime.
The new standard says they should create a formal risk mitigation and migration plan.
Paul Hampton, payments security expert at Gemalto, said: “Although 14 months might seem like a long time to transition away from a vulnerability that we know is being actively exploited, from a PCI perspective, we need to understand the importance of finding a balance. There needs to be a consideration about realistic time scales and allowing vendors, especially slower moving businesses, time to move onto a different solution. They may need more time to gather knowledge about changing their systems to one that is right for their customers and finding another secure solution. Ideally, you’d want everyone to move across straight away when there is a vulnerability, and in some cases it is just a case of flicking a switch to change the technology quickly – but for PCI regulated businesses, they often need more time to make the changes necessary.
“With regards to the risk mitigation and migration plan, an action plan for technology mitigation should be viewed as more important. In this situation, we know what the fix is and therefore, we should focus on that over other actions which will only delay the inevitable – which is reconfiguring the systems to get rid of SSL/ TLS risks. We know that some versions are vulnerable, and if you switch to newer versions, the problem does go away. Ultimately, it’s all about configuration, and this can be relatively simple to change.”