Monday, February 16, 2015

SSL is No Longer Strong Cryptography

On Friday the Payment Card Industry Security Standards Council (PCI SSC) released their official statement regarding the acceptability of Secure Sockets Layer (SSL) version 3 for protecting payment data. Based on guidance from NIST and after months of discussions with stakeholders, no version of SSL encryption should be considered "strong cryptography" as defined by the PCI Council.

The Council will be releasing version 3.1 of both the PCI DSS and the PA-DSS to address this issue. The date for the release has not yet been announced.

If you are running any version of SSL on your e-commerce servers, even version 3.0, you should disable it along with older versions of Transport Layer Security (TLS). TLS should be version 1.2 or higher. Most modern and currently patched web servers should support this configuration. If you have old server software this may not be possible.

More information is available in the official statement at this link:

PCI SSC Official Statements:

Friday, February 13, 2015

Stay tuned for a PCI Council Announcement

Information regarding the upcoming release PCI DSS v3.1 and PA-DSS v3.1 is supposed to be coming out today.