The Payment Card Industry Security Standards Board (PCI SSC) has
published an audit of the PCI DSS 3.2.1 standard. According to representatives of the organization, this release includes only minor clarifications, but it is a preparatory stage before the release of a new version of the standard, which is expected in 2020. What and why it was done, we tell below.
/ photo Blue Coat Photos CCWhat and why changed
Immediately, we note that there are no new requirements in this version. According
to the technical director of PCI SSC Troy Lich (Troy Leach), the goal of 3.2.1 is to eliminate confusion with dates.
The release makes three changes to the main document:
- All notes were removed, where as of the entry into force of the requirements of the PCI DSS 3.2 standard was mentioned on February 1. This is done in order to eliminate possible confusion, since this date is "left in the past."
- Now MFA (multi-factor authentication) is not a compensating control measure. For non-console administrative access, multifactor authentication is mandatory — one-time passwords can be used as an access control tool.
- Added note that after June 30, 2018 only POS and POI terminals and their connection points to the supplier’s network can use SSL / TLS below version 1.2. In other cases, you need to use TLS 1.2.
The full standard document is published
on the official PCI SSC website , and information on other minor edits can
be found in the official document . Next we will look at who will be affected by the above changes.
Why organizations need to upgrade to TLS 1.2
According to PCI DSS, on June 30, organizations (except for the previously designated case) will have to switch to more secure data encryption protocols, such as TLS version 1.2 or higher.
The requirement is due to the fact that in SSLv3 and earlier versions of TLS
, vulnerabilities
have been discovered , such as the possibility of a POODLE attack. It allows an attacker to extract confidential information from an encrypted communication channel.
In the encrypted traffic, you can find and isolate special blocks with tags that are sent to the site by malicious code written in JavaScript. The attacker sends a series of fake requests, thereby getting the opportunity to character-by-character reconstruct the contents of the data of interest, such as cookies.
The main danger is that the hacker
can force the client to use SSLv3, emulating the breaks in the connection. Therefore, in PCI SSC insist on the introduction of TLS 1.2 until June 30. All companies that have not yet made the transition
should contact the company with the Approved Scanning Vendor (ASV) status and receive documented confirmation that they are implementing a risk reduction plan and complete the deadline migration.
Information on the migration procedure, the relevant requirements, as well as the FAQ, can be found in the
annex to the standard published by the PCI SSC .
/ photo Blue Coat Photos CCWho will be affected by the changes
Changes
affect service providers and trading companies. Providers can allow merchants to use outdated SSL / TLS protocols only if the provider itself has confirmed the availability of management tools that reduce the risks from establishing such connections. At the same time, service providers should regularly inform their customers about possible problems when using earlier versions of SSL.
As for the trade enterprises themselves, they are allowed to use SSL / TLS if their POS and POI terminals are protected from known protocol vulnerabilities. However, when new potentially dangerous exploits appear, the terminal protocols will have to be updated immediately.
Once again about the timing
The deadline for implementing the requirements of the previous version of the standard (3.2) is December 31, 2018. PCI DSS 3.2.1 requirements need to be implemented before January 1, 2019.
As for the development of a new version of the standard, it is already underway. To do this, the PCI SSC is currently collecting and analyzing feedback from community member organizations. Full release PCI DSS is scheduled for 2020.
PS Several materials from the First Corporate IaaS blog:
PPS Materials on the topic from the blog on Habré: