E-commerce enterprises gently told to update those protocols ... or else

Response to Heartbleed, Shellshock, Poodle really kicks in

A revamp in payment card industry regulations due out later this month will penalise e-commerce enterprises that rely on outdated crypto protocols.

The PCI Security Standards Council updated standard – PCI DSS 3.1 – mandates that businesses move away from SSL onto more modern TLS protocols.

The council is introducing the changes in response to recent exploits (Heartbleed, Shellshock, Poodle) that take advantage of these security shortcomings of aging protocols, such as SSLv3.

The practical upshot is that e-commerce businesses need to make sure their web servers are configured to work with TLS, and turn off their SSL support, if they want to avoid increased payment processing charges in general or big fines if anything goes wrong.

Mobile commerce apps need to be updated for the same reason.

TLS is the evolution of SSL (both are encryption protocols) and that both use the same certificates for security, so most businesses will not need to get their trusted CA certificates reissued.

Michael Aminzade, Trustwave veep of global compliance and risk services, said the biggest challenge involves payment applications, since many of them use SSL to move payment transactions from the merchant to the processor.

Four in five companies still fail PCI compliance at their interim assessment, according to a recent study by Verizon, which found that only 28.6 per cent of companies were still fully compliant less than a year after successful validation.

The report is based on the results from thousands of PCI assessments run by consultants mostly on larger businesses, in 30 countries.

PCI 3.0 became mandatory for all businesses that store, process or transmit payment card information at the beginning of January. The revised standard includes requirements aimed at third party providers, as previously reported.

PCI DSS has been the established payment card industry standard since 2006. PCI has historically been criticised as simply offering a minimal security baseline, containing such advice as "use an antivirus" and "protect cardholder data", rather than adopting a more risk-based or business-focused set of criteria.

Small shops can pass the regulations through self-assessment, but larger firms are obligated to hire independent Qualified Security Assessor to run independent audits. This is a very significant source of work for many security consultants. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2021