By the end of January, Google will update its Chrome browser to warn users when a website that accepts credits cards or passwords is not using HTTPS (which uses Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) to encrypt transmissions between a browser and a website). Eventually, Google plans to label all HTTP pages as non-secure since these sites don’t use SSL/TLS to encrypt transmissions. As announced in December of 2015, the Council issued guidance and removed SSL/early TLS as an example of strong cryptography from the PCI Data Security Standard (PCI DSS), stating that it can no longer be used as a security control after 30 June 2018. Organizations that need to implement HTTPS should use a more modern security protocol than SSL (at a minimum TLS v1.1, although Payment Card Industry Security Standards Council (PCI SSC) strongly encourages organizations to implement TLS 1.2 or higher).
The Council will be issuing a Special Interest Group paper entitled “Best Practices for Securing E-commerce” on 31 January. The paper will educate merchants on accepting payments securely through online and mobile platforms. Below is an excerpt from the paper, which outlines common questions merchants can ask service providers regarding digital certificates and encryption. The full guidance will be published on 31 January.
Common Questions about Digital Certificates and Encryption
I am a small business so surely no one is going to attack me if I continue to use SSL and early TLS.
Unfortunately, small businesses are just as susceptible to attack as larger organizations. Hackers use computer programs that systematically perform exhaustive searches for targets that are misconfigured or contain exploitable vulnerabilities. Hackers and their computers do not care how big or small an organization is that is utilizing a vulnerable system. We tend not to hear about small merchant breaches because the businesses are not well known and the breaches too numerous. It is just a matter of time before any vulnerable system is exploited.
The cost of a breach, even for a business storing a small number of credit cards, will far outweigh the cost it will take to migrate to TLS 1.2.
My service provider tells me that it supports later versions of TLS—is that all I need to do to meet the PCI DSS requirements on TLS?
While support for the later versions of TLS (1.1 and 1.2) is good, the retention of support for the TLS 1.0 and any version of SSL still introduces a potential weakness in the environment unless appropriate compensating controls are implemented and maintained. In terms of PCI DSS compliance, then, service providers must support the use of later versions of TLS (currently 1.1 and 1.2) and must only support later versions of TLS for new implementations. Service providers can still offer SSL and TLS v1.0 up to 30 June 2018 for existing services.
How can I find out what SSL/TLS protocols and versions I support?
Although there are companies that provide testing services, one way of finding out whether your website supports a particular version of SSL or TLS is to use a computer browser to connect to the site and actually establish a secure connection. Each type of browser provides options that enable you to select specific versions of both SSL and TLS, so by a process of elimination you can quickly establish what is actually supported. Note: Only TLS 1.1 or 1.2 connections are considered strong cryptography and support secure encryption protocols.
As a merchant, many of my customers, either because of policy or in-house systems incompatibility, do not have the latest software. Therefore, this may limit the versions of TLS that are available for them to implement. What can I do to be compliant without losing my customers
The best solution is to (1) develop a TLS mitigation plan to disable SSL and all early versions of TLS and migrate to TLS 1.2; (2) until the migration is complete, the merchant must address the vulnerabilities associated with the use of insecure protocols through risk-mitigating compensating controls. The PCI Information Supplement, Migrating from SSL and Early TLS, provides guidance on developing the migration plan and implementing risk-mitigating controls, including control recommendations for small merchant environments.
Organizations that are unable to discontinue use of solutions that do not support the latest version of TLS must perform an Approved Scanning Vendor (ASV) scan quarterly to verify that compensating controls continue to effectively mitigate known and newly discovered vulnerabilities associated with the insecure protocols. Merchants should contact their acquirer to discuss business requirements, limitations of current solutions, and compensating controls in place or planned to address risk to the merchant environment.
I am a small business and will need to upgrade my systems to support the latest versions of TLS at great expense. What can I do to remain secure until I can upgrade?
Until the migration to TLS 1.1/1.2 is complete, a small business must address the vulnerabilities associated with the use of insecure protocols. The PCI SSC Information Supplement, Migrating from SSL and Early TLS, provides guidance on implementing risk-mitigating controls, including recommendations for small merchant environments. Merchants should also talk to their acquiring bank or payment card brand to determine whether there are any other requirements that must be met.
Best Practices for Securing E-commerce Special Interest Group paper will be released on 31 January. Go to our newsroom and sign up to be notified when the Council issues press releases.