The Payment Card Industry Security Standards Council (PCI SSC) has issued a bulletin flagging a change in the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS). This change will affect all those that are required to implement either standard.
As you may be aware over the past twelve months there have been a number of very serious vulnerabilities relating to Secure Sockets Layer (SSL), one of the key protocols used in e-commerce. The nature of the vulnerabilities has resulted in the decision that no version of SSL meets the requirement of “Strong cryptography” and as such can no longer be used.
The standards, PCI DSS and PA-DSS will be updated and reissued as version 3.1. The council has currently not provided a date as to when this will be. However they do state that once issued the standards will be effective immediately.
2- How does this affect you
The change in the standard means that web sites and other communications currently using SSL must be changed to utilise TLS instead of SSL. For many this will be a relatively innocuous change, however there may be customer impact and it is therefore recommended that efforts to remove SSL start sooner rather than later.
In addition to web servers there are other devices and applications within your environment that will be utilising SSL. If they are in scope these should also be addressed. For example firewalls, SSL VPN services, Citrix and so on. In short anything accessed using HTTPS:// will need to be checked and if using SSL, remediated.
At this moment there are no known compensating controls that can be implemented.
What if we don’t change?
If you continue to utilise SSL you will be non compliant with the standard. The quarterly ASV scans will flag that SSL is accepted and the ASV vendor will issue a FAILED report. This in turn will result in a non-compliance for PCI DSS.
Likewise in an on-site assessment or breach investigation
3- How can you remediate
You will need to reconfigure web servers to only accept TLS traffic and disable SSL.
1 – Check if server accepts SSL connections
This can be done utilising the online service from vendors such as Qualys.
https://www.ssllabs.com/ssltest/ (please ensure you tick the “Do not show the results on the boards” option).
an alternate is to use the nmap tool to scan server utilising the following command:
nmap yourserveripornamehere -p 443 –script ssl-enum-ciphers
2 – Once identified remove the server’s ability to communicate using SSL
For windows servers this will mean registry changes.
For linux servers you will need to modify the relevant files for the web server being used. For example the mod_SSL configuration file.
For appliances such as firewalls, load balancers, switches, routers, remote access solutions, you will need to approach the vendor and request the relevant update.
5- How can we help
If required there are several ways in which we can assist. These include:
- Identifying servers devices and applications that allow SSL connections
- Assisting with remediation
Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us.