In the wake of the POODLE vulnerability identified by NIST and subsequent attacks, the PCI SSC has announced its intent to release the first revision of the PCI DSS 3.0 and PA-DSS 3.0 standards. The PCI DSS 3.1 and PA-DSS 3.1 standards will indicate that the SSL v3.0 protocol no longer meets the PCI SSC’s definition of “Strong Encryption” and this will have immediate impact to several existing requirements. However, one key point from the announcement should be highlighted:
“When published PCI DSS v3.1 will be effective immediately, but impacted requirements will be future dated to allow organizations time to implement the changes.”
Much like the current best practice requirements that will not go into effect until July 1st, 2015, we expect the SSC to make similar accommodations for any requirements that will be impacted by the updated definition of strong encryption.
So what does this mean for you and your organization?
Organizations need to perform a risk analysis on the use of the SSLv3 in their environment and determine and then document plan for migrating away from this protocol as soon as possible. Obviously there are major security and compliance implications around the use of SSLv3 and having a documented risk analysis and plan for dealing with the vulnerability is a must. Don’t get caught without a plan!
The changes and expectations in the PA-DSS 3.1 standard will address “both future submissions and currently listed applications.” Organizations that offer or utilize PA DSS applications will need to be prepared on how these announces changes will impact their compliance posture. As always, feel free to reach out to your trusted security advisor at Coalfire for assistance and information on how the new standards will impact your organization. For reference, the SSC’s bulleting can be viewed in full on the SSC’s website here:
PCI SSC Bulletin on DSS revisions SSL update