On Friday the Payment Card Industry Security Standards Council (PCI SSC) released their official statement regarding the acceptability of Secure Sockets Layer (SSL) version 3 for protecting payment data. Based on guidance from NIST and after months of discussions with stakeholders, no version of SSL encryption should be considered "strong cryptography" as defined by the PCI Council.
The Council will be releasing version 3.1 of both the PCI DSS and the PA-DSS to address this issue. The date for the release has not yet been announced.
If you are running any version of SSL on your e-commerce servers, even version 3.0, you should disable it along with older versions of Transport Layer Security (TLS). TLS should be version 1.2 or higher. Most modern and currently patched web servers should support this configuration. If you have old server software this may not be possible.
More information is available in the official statement at this link:
https://www.pcisecuritystandards.org/pdfs/15_02_12_PCI_SSC_Bulletin_on_DSS_revisions_SSL_update.pdf
PCI SSC Official Statements:
https://www.pcisecuritystandards.org/news_events/statements.php
Monday, February 16, 2015
Friday, February 13, 2015
Stay tuned for a PCI Council Announcement
Information regarding the upcoming release PCI DSS v3.1 and PA-DSS v3.1 is supposed to be coming out today.
Subscribe to:
Posts (Atom)