Monday, February 16, 2015

SSL is No Longer Strong Cryptography

On Friday the Payment Card Industry Security Standards Council (PCI SSC) released their official statement regarding the acceptability of Secure Sockets Layer (SSL) version 3 for protecting payment data. Based on guidance from NIST and after months of discussions with stakeholders, no version of SSL encryption should be considered "strong cryptography" as defined by the PCI Council.

The Council will be releasing version 3.1 of both the PCI DSS and the PA-DSS to address this issue. The date for the release has not yet been announced.

If you are running any version of SSL on your e-commerce servers, even version 3.0, you should disable it along with older versions of Transport Layer Security (TLS). TLS should be version 1.2 or higher. Most modern and currently patched web servers should support this configuration. If you have old server software this may not be possible.

More information is available in the official statement at this link:
https://www.pcisecuritystandards.org/pdfs/15_02_12_PCI_SSC_Bulletin_on_DSS_revisions_SSL_update.pdf

PCI SSC Official Statements:
https://www.pcisecuritystandards.org/news_events/statements.php

No comments:

Post a Comment