In February 2015, the PCI Council announced that a change was coming related to the use of SSL (Secure Sockets Layer). As promised, due to exploits such as Heartbleed, and Poodle amongst others, the council has updated their guidelines to encourage merchants to upgrade to SSL’s successor, Transport Layer Security (TLS).
The Council also stated that later this month it will release the new 3.1 standard which will include the deprecation of SSL and a timeframe in which all merchants must be compliant. They will also be releasing a Payment Application Data Security Standard (PA-DSS) update with the same requirement that will apply to specifically to the standard for development of payment applications.
What does this mean to those who need to be PCI compliant? It’s not as scary as it sounds. Today’s modern browsers are all TLS capable, as are modern web servers. You will need to disable SSL and only allow TLS on the web server. Your current SSL certificates will not need to be replaced, unless you suspect that one of the SSL exploits was enacted against your certificate and it may be compromised.
Even if you do not need to be PCI compliant, it’s best that anyone who manages a website take these actions as a cyber security best practice. The dangers now known about SSL place a responsibility on those charged with protection of networks and data to move away from the unsecure protocols and only practice secure computing both on the internet and internal networks.
