By Paul Brennecker, Principal QSA at Security Risk Management Ltd
On Wednesday 15th April 2015 the PCI SSC (Payment Card Industry Security Standard Council) published the PCI DSS Version 3.1 to upgrade payment card industry guidelines. While these changes will mean enhanced privacy for consumers and better safeguarding of data, they will also require most companies holding cardholder data or processing payments to review their payment procedures as soon as possible.
Superficially, PCI DSS v3.1 comes with only subtle adjustments to the existing requirements but the impact of these will have far-reaching implications.
Effective immediately, all versions of Secure Socket Layer (SSL) and early Transport Layer Security (TLS) are no longer considered to be strong cryptography. This impacts PCI DSS Requirements 2.2.3, 2.3 and 4.1. SSL and early TLS cannot be used as a security control after 30 June 2016.
Moreover, the PAN requirement has been reinforced with 3.1. The new guidelines prioritise ‘PAN truncation’ which refers to a security measure based on removing all but the first 6 and last 4 digits, thereby helping to protect payment card data. PAN truncation is a mechanism used by POS (point of sale) terminals and in many countries is already a mandatory cyber security measure.
Previously the hashed and the truncated version of the PAN were not considered to be cardholder data, but 3.1 makes it clear that to protect cardholder data, the two must never come together, because hackers are able to find the missing digits by using the first six and the last four digits and generate hashes until a match is found.
Another important change is the prohibition against sending PANs via ‘end-user messaging technologies’. This means that sending SMS which show the PAN of a card is explicitly no longer accepted unless it is encrypted. In this way, cardholder data is not only prohibited from traversing the Internet via email or instant messaging but from now on all messages sent over GSM, CDMA and TDMA networks are also part of the PCI Compliance requirements.
Lastly, and perhaps the most significant change, is in the hardening of attitude to Secure Socket Layers (SSL). On 25th March 2015 PCI SSC released a PCI SSC FAQ with additional information on how SSL poses a risk to payment card data and how it impacts point-of-sale devices and web servers. PCI DSS 3.1 clarifies this stance. It is therefore now vital to switch to the TLS protocol and abandon the SSL one as soon as possible.
The revisions included in 3.1 reflect the changes in the threat landscape and an increase in the number of attacks registered during 2014 and the PCI Council initiative therefore needs to be taken seriously. Most of the companies that hold cardholder data and process payments through debit or credit cards will be required to review their processes and technologies in the near future.