PCI
Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI
DSS) Version 3.1 and supporting guidance today. The revision includes minor updates
and clarifications, and addresses vulnerabilities within the
Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.
PCI DSS version
3.1 is effective immediately. PCI DSS Version 3.0 will be retired on 30 June
2015.
What has
changed?
PCI DSS v3.1
|
Section
|
PCI DSS V3.0
|
Implement
additional security features for any required services, protocols, or daemons
that are considered to be insecure—for example, use secured technologies such
as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS,
file-sharing, Telnet, FTP, etc.
|
2.2.3*
|
Implement
additional security features for any required services, protocols, or daemons
that are considered to be insecure—for example, use secured technologies such
as SSH, S-FTP, SSL, or IPSec VPN to protect
insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
|
Encrypt
all non-console administrative access using strong cryptography. Use
technologies such as SSH, VPN, or TLS for web-based management and other
non-console administrative access
|
2.3
|
Encrypt
all non-console administrative access using strong cryptography. Use
technologies such as SSH, VPN, or SSL/TLS for
web-based management and other non-console administrative access
|
Use strong
cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to
safeguard sensitive cardholder data during transmission over open, public
networks, including the following:
· Only trusted keys and
certificates are accepted.
· The protocol in use
only supports secure versions or configurations.
· The
encryption strength is appropriate for the encryption methodology in use
|
4.1
|
Use strong
cryptography and security protocols (for example, SSL/TLS,
IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission
over open, public networks, including the following:
· Only trusted keys and
certificates are accepted.
· The protocol in use
only supports secure versions or configurations.
· The
encryption strength is appropriate for the encryption methodology in use.
|
*- Note: SSL and early TLS are
not considered strong cryptography and cannot be used as a security control
after June 30, 2016. Prior to this date, existing implementations that use SSL
and/or early TLS must have a formal Risk Mitigation and Migration Plan in
place. Effective immediately, new implementations must not use SSL or
early TLS. POS POI terminals (and the SSL/TLS termination points to which
they connect) that can be verified as not being susceptible to any known
exploits for SSL and early TLS may continue using these as a security control
after June 30, 2016.
My view
on TLS : TLSv1.0 is prone
to CCB attacks. Recommended version is TLSv1.2
Courtesy : PCI DSS
