PCI Council warns of SSL insecurities

 The PCI Council says that the Secure Socket Layer (SSL) protocol is no longer secure enough for encrypting communications online between the customer and online retailer.

In the latest Assessor Newsletter, which was published on February 13, the Council talks about proposed revisions to the PCI DSS and PA-DSS standards (currently version 3.0 is in effect), with some of these changes relating specifically to concerns around SSL security.

“In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future,” reads the newsletter. “The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC's definition of “strong cryptography,” and updates to the standards are needed to address this issue.”

The newsletter goes on to reveal that the Council is currently working with industry stakeholders to determine the impact of this proposed change. The group has not said when changes to the aforementioned standards will be implemented but did say that it would be “future-dated” and effective immediately.

The once widely-used SSL has been criticised over the last year, given the Heartbleed, Shellshock and Poodle flaws, with the more secure Transport Layer Security (TLS) emerging as a viable alternative to carry HTTPS internet connections.

The first version of SSL was released by Netscape twenty years ago, but in more recent times end-users have increasingly shifted to adopting TLS on web servers, while web developers have often deferred to using SSL as a fall-back to TLS.

The PCI Council develops, maintains and manages payment card security standards, although it doesn't validate or enforce an organisation's compliance.