The Payment Card Industry Security Standards Council (PCI SSC) has moved to fix the security vulnerabilities in the Secure Sockets Layer (SSL) and early versions of the Transport Layer Security (TLS) protocols, exposed by both Heartbleed and Poodle, with an out-of-band updated release of PCI DSS v3.1.
This latest iteration of the PCI Data Security Standard, however, has split the IT security profession when it comes to just how much protection it is really providing the card holder who shops online.
The v3.1 PCI DSS release (https://www.pcisecuritystandards.org/security_standards/documents.php) addresses the well known, and high risk, vulnerabilities that have been discovered in both SSL and TLS protocols, and prohibits the implementation of any new technology using SSL or early (version 1.0 for the most part) TLS with these known vulnerabilities. That is, undeniably, a good thing. What is less clear cut on the ‘good thing' front is the 14 month transition window giving merchants until the 30th June 2016 to rid their systems of these protocols as standalone payment data protection controls. What merchants must do in the meantime, according to the new standard, is create a formal risk mitigation and migration plan.
There's no doubting that the PCI DSS v3.1 revision has sparked off the old debate about security vs compliance once more: think of security as an everyday occurrence, and compliance just a regulatory check box. Chris Scott, programme director at The Bunker, told SC: "While 14 months is a very long period for best practice, it should be something that's covered as part of an everyday risk mitigation strategy - at the end of the day it's something merchants should be working towards anyway."
Bob Massey, principal consultant at Compliance3, told SCMagazineUK.com that the PCI Standards Council is in a difficult position. While he agreed that, by definition, standards have to have some degree of stability and a two-year cycle is usually enough to allow the industry to respond and comply with any revisions to the standard, Massey added: "We work in a fast moving industry, new threats are arising all the time, and we need to be seen to be responding responsibly to those new threats." The trouble being that if consumers, with a lot of choice over where they spend their money online, have doubts over security then they will simply shop elsewhere. "I would suggest that the PCI Standards Council consider implementing some form of fast response advisory system" Massey suggests, where they can rapidly deploy credible responses to any new threats. "These should then be incorporated into a merchant's next compliance review," he concludes.
Mark Kedgley, CTO, New Net Technologies, on the other hand, told SC that: "The PCI SSC has mandated the need to remove SSL and early TLS from in-scope systems immediately in PCI DSS V3.1," and nobody would argue that it isn't imperative to remove any dependency on these. However, he tempered that by adding: "The key problem with PCI compliance is that too few have fully embraced the need for continuously operated security best practices," and without closing the loop on vulnerability management, system hardening, change control and breach detection, "there will be always be more ‘Target' breaches."
Brendan Rizzo, technical director EMEA at HP Security Voltage, takes the position that the very fact that the PCI Council saw fit to release an out-of-band update underscores the real threat that the recent SSL and TLS vulnerabilities pose to payment security. But on the 14 month transition period he warns: "If companies do not start to formalise a plan for appropriate security upgrades right away, any breach that they might incur could result in tough questions being asked and, ultimately, in significant reputational damage - even if it occurs before the PCI Council's implementation deadline." Indeed, as Raimund Genes, chief technology officer at Trend Micro, pointed out, compliance with PCI v3.1 does not mean 100 percent security, telling SCMagazineUK.com, “It's good (that the PCI SSC) has redefined minimum standards, to appreciate that what was good two years ago is obsolete now, and to beef it up and make it better. But it is a minimum layer and doesn't mean that you've done everything possible (to ensure data security) and you should do more.”
Paul Hampton, payments security expert at Gemalto was quicker to defend the PCI perspective insisting that it, "needs to find a balance between realistic time scales and allowing vendors, especially slower moving businesses, time to move onto a different solution." Hampton explained that they may need more time to gather knowledge about changing their systems to one that is right for their customers and finding another secure solution. Ideally, you'd want everyone to move across straight away when there is a vulnerability, and in some cases it is just a case of flicking a switch to change the technology quickly – but for PCI regulated businesses, they often need more time to make the changes necessary. "I believe that the timeframes reflect the fact that many merchants are reliant upon third parties for the security of their environment" says Kevin Burns, head of solutions architecture at Vodat International who continues: "SSL/TLS is used in both the physical store as well as the online environment. As a result, the change is complicated, as the retailer has to plan an upgrade to remote devices and in some implementations that may well mean sending engineers out to sites all over the world."
The bottom line being, then, that while 14 months is really too long to deal with a known security vulnerability, it may well be that having a plan and sticking to it is as far as the PCI SSC can reasonably be expected to go. After all, service providers and retailers alike should already have a strategy in place to mitigate these well publicised risks and provide the relevant upgrades.
Also see SC eConference on PCI V3, beyond compliance, with keynotes from Jeremy King, International director PCI SSC and Tracey Long, Payment Security, PCI DSS compliance manager, WorldPay, as well as sponsored sessions from Rapid 7 and Alien Vault.
Plus see interview clip with Jeremy King at SC Congress this year lower down on the SC home page.