Image courtesy Infosecurity magazine
Recurly is working hard to help educate subscription billing companies about the Payment Card Industry Data Security Standard - PCI DSS. We issued a white paper about PCI DSS V3.0, a recent, comprehensive update to the standard.
Now, right on its heels, PCI DSS Version 3.1 has been released. The new version is effective immediately, but some requirements are future-dated. Recurly customers and others will need to review their system implementations, third-party software, and Internet-connected hardware devices for compliance with the new release.
The key requirement in Version 3.1 is an end to use of the Secure Sockets Layer (SSL) protocol. SSL is used in some older software and is a supported configuration option in a wide range of existing software. SSL has been at the core of several recent security breaches:
The Heartbleed flaw found in OpenSSL implementations.
The POODLE flaw in SSL 3.0.
The Shellshock flaw, which affected Mac OS X and other Unix systems.
The FREAK attack, in which attackers intercept and decrypt SSL traffic in Windows and other software.
Note for Recurly customers: Recurly implemented the needed changes well in advance of the standards changes discussed in this blog post. Recurly customers should be aware that their communications with Recurly can’t use the deprecated protocol versions, as Recurly no longer allows those kinds of connections. Like all merchants, Recurly customers are still responsible for ensuring that their websites, other software they use, and other systems they connect to are secure.
The PCI standard has long required “strong cryptography”, and SSL now falls short of that requirement - as does the widely-used RC4 encryption algorithm. The primary change with the new PCI DSS 3.1 standard is the requirement for companies to move rapidly away from SSL and RC4. Recent versions of a newer standard for transmitting information, Transport Layer Security (TLS), should be used exclusively instead.
Many companies removed all use of SSL on news of the POODLE attack, or before, and have patched their systems against other vulnerabilities. However, for an organization to be fully PCI DSS compliant, it’s not enough to upgrade or reconfigure software which the organization controls directly. Devices the organization uses, such as point of sale (POS) terminals, and external software systems which the organization relies on must also be compliant.
It may be some time before all needed devices and systems can be made compliant, leaving the organizations that depend on them both out of compliance and vulnerable. When updated devices and systems are available, organizations may find themselves in an expensive rush to upgrade.
The Payment Card Industry Security Standards Council (PCI SSC), which controls the release of new versions of PCI DSS, is making Version 3.1 effective immediately. However, deadlines for specific requirements will be future-dated to allow time for organizations to implement changes. Organizations will need to be proactive to meet requirements and protect against vulnerabilities.
PCI SSC bulletin, PCI Security Standards Council, February 13th 2015
Just when you thought you had a handle on PCI DSS 3.0, Dell’s Tech Page One, March 2015
PCI DSS v3.1 and SSL: What you should do NOW, PCIComplianceGuide.org, March 5th 2015
PCI DSS 3.1 Forces Move From SSL to TLS, Infosecurity magazine, April 7th 2015
Heartbleed a Year Later: How the Security Conversation Changed, eWeek, April 7th 2015