The Payment Card Industry Data Security Standard (PCI DSS) version 3.1 was released in April 2015. Yet, many organizations are still not compliant with the PCI DSS version 3.0, which went into effect on January 1, 2015. Both versions introduced new requirements for cryptographic keys and digital certificates. While businesses may have a variety of reasons for not meeting the compliance requirements pertaining to keys and certificates, it certainly isn’t because the dangers have subsided. In fact, they’re on the rise.
In a recent Poneman Institute report, 100% of the organizations surveyed said they responded to attacks using keys and certificates within the last 2 years. In response to the growing threat, the Payment Card Industry Security Standards Council (PCI SSC) has introduced stringent rules governing the security and management of keys and certificates.
Just months after PCI DSS v3.0 went into effect, the new PCI DSS v3.1 was released requiring that SSL and early versions of TLS be replaced to prevent man-in-the-attacks like POODLE. Organizations are no longer allowed to use SSL or early TLS with new systems, but have until June 30, 2016 to transition existing ones. This new mandate impacts the PCI DSS requirements that address encryption used to protect card holder data and requires an enterprise-wide transition to TLS version 1.1 and higher on in-scope systems. The process for migration to TLS 1.1 and higher can be summarized in two steps:
Step 1: Search and Triage
Once applications and how cardholder data is processed are known, risk can be established and migration for specific applications can be prioritized.
Step 2: Migration
Migrating to TLS 1.1 and higher will require at least updating the configuration of affected applications. It may also require updating the application to a version that operates only with TLS 1.1 and 1.2.
As migration proceeds, teams should update scans to validate migration. These scans demonstrate progress and compliance, showing SSL, early TLS, and TLS 1.1 and higher usage.
However, most organizations still need to address the new key and certificate requirements in PCI DSS v3.0 as well. Here are the top regulations with a description of the impact to your organization’s security resources:
Learn how Venafi is designed to make meeting the new PCI DSS requirements for keys and certificates easy at Venafi.com/PCI.
Last year, Securing Cryptographic Keys and Digital Certificates was a PCI SSC 2015 Special Interest Group (SIG) Finalist. This topic was not selected for 2015, but has been resubmitted for consideration as a 2016 PCI SSC SIG. Want key and certificate security as a PCI SIG? Let the PCI SSC know you’re interested! And drop me a comment if you’d like to participate.