Saying bye to SSL – What you should know about PCI DSS version 3.1
If you don’t know by now (and I hope you do), the Payment Card Industry Security Standards Council (PCI SSC), updated its Data Security Standards (DSS) to version 3.0 earlier this year in January.
To release some minor adjustments and clarifications, they have now issued a follow up version 3.1. The biggest thing that will affect all merchants in this standard update is that Secure Socket Layer (SSL) can no longer be used as a security control after June 30, 2016.
(image by Fosforix – E-Commerce Visa (Test tamron 17-50 2.8), Flickr)
Isn’t SSL safe? What happened to it?
Well, SSL has been widely accepted and used as a secured, encrypted protocol for at least 20 years. But it’s not as safe as we thought it was anymore. In fact, SSL v.3.0 was superseded by Transport Layer Security (TLS) 15 years ago. Since then, there has been a couple of version updates for TLS.
As if things haven’t been bad enough for SSL, in late 2014 it was discovered that a security vulnerability that may allow attackers to extract data from secure connections.
More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability makes it possible to decrypt an encrypted message secured by SSL v3.0. Sadly, because this vulnerability is inherent in SSL’s protocol, it cannot be patched/fixed.
(image from http://www.volusion.com/ecommerce-blog/articles/volusion-addresses-poodle-security-vulnerability/)
How does this affect my company?
As outlined in PCI SSC’s statement, ‘SSL and early TLS no longer meet the security needs for merchants to implement strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol’.
What this means for any merchant is that you will now have to migrate any of your business software (including your e-commerce and mobile website) from SSL/early TLS to the latest version of TLS as soon as possible. Failing to do so will result in:
1. PCI DSS non-compliance (it’s no fun, trust us).
2. Customers’ card data being potentially exposed to attackers (again, no fun).
3. Losing sales. Or worse, losing sales AND having to pay for any fine cost by PCI DSS non-compliance (even less fun).
If you’re a merchant already using judo as a payment processor, you and your customers are in safe hands. But you should still migrate your website on to the latest version of TLS for best protection.
Where can I find out more about this?
For more information, the council has issued a very helpful information supplement that explains all frequently asked questions. You can find it here.
Alternatively, you can also contact our payment experts who can help with addressing your concerns.
About Judopay · Judopay simplifies in-app payments, enable frictionless checkouts and intelligently prevents fraud for leading companies globally. Our payments and mobile experts help guide businesses and their development partners to create best in class apps to make paying faster, easier and more secure. Founded by serial financial technology entrepreneurs in 2012, Judopay is backed by leading venture investors and supported by banking and card scheme partners to offer in-app payments that are simple, frictionless and protected.