In removing Secure Sockets Layer (SSL)/ early Transport Layer Security (TLS) as examples of secure encryption in the PCI Data Security Standard (PCI DSS), the Council has urged organizations to migrate away from these vulnerable protocols as soon as possible. During this migration process, however, the regular network vulnerability scans required by PCI DSS (Req. 11.2.2) will pick up high-level SSL vulnerabilities resulting in failed Approved Scanning Vendor (ASV) reports.
Aware of this interim challenge, the Council has outlined these migration recommendations for organizations:
- Prior to June 30, 2018: Entities that have not completed their migration should provide the ASV with documented confirmation that they have implemented a Risk Mitigation and Migration Plan and are working to complete their migration by the required date. Receipt of this confirmation should be documented by the ASV as an exception under “Exceptions, False Positives, or Compensating Controls” in the ASV Scan Report Executive Summary.
- After June 30, 2018: Entities that have not completely migrated away from SSL/early TLS will need to follow process outlined in the ASV Program Guide v2 section entitled “Managing False Positives and Other Disputes” to confirm the affected system is not susceptible to the particular vulnerabilities. For example, where SSL/early TLS is present but is not being used as a security control (e.g. is not being used to protect confidentiality of the communication).
Here we talk with Zach Walker, SecurityMetrics, who works with merchants as an Approved Scanning Vendor on tips for organizations managing failed scans during the migration process.
What recommendations can you provide merchants on working with an ASV on a failed scan?
Zach Walker: The first step is to read through the scan report you receive from your ASV and review the specific recommendations made. Identify any questions you have.
Then, just talk with your ASV. We are here to help you in the process. Our job is to help educate the merchant as much as possible, as well as help figure out if you are using a new or existing implementation.
How do you work with a merchant on SSL/early TLS migration?
Zach Walker: Communication is a critical part of the process. In talking with the merchant about a failed scan, we will figure out what are the next steps for mitigation. We’ll help the merchant understand the type information needed for disputing failures, such as why or if they are still needed, and how they can migrate away from them for existing implementations, along with providing guidance for new implementations.
With that information in place, we can help the merchant proceed and gather the risk mitigation and migration plan or the information necessary to put that plan together.
What resources do you recommend to help merchants in this process?
Zach Walker: The Migrating from SSL and Early TLS information supplement has a ton of information for putting a plan together and disputing a finding with your ASV. We highly recommend merchants review this document – it will help you work effectively with your ASV and have confidence about your mitigation and migration efforts to protect your business.
Like what you read? Download the full webcast featuring Zach Walker and other industry experts on the topic of SSL/early TLS migration.
