PCI 3.1 released – SSL 3.0 and TLS 1.0 no longer good enough

A minor update to the PCI:DSS standard was released by the PCI SSC earlier this week in the form of PCI:DSS 3.1.  Due to the vulnerabilities exposed in the recent POODLE and BEAST browser attacks, the standard no longer sites SSL 3.0 or TLS 1.0 as examples of strong cryptography.

It prohibits the implementation of any new technology using SSL or early TLS with these known vulnerabilities, but gives merchants until the 30th June 2016 to stop these encryption protocols.  What merchants must do in the meantime, according to the new standard, is create a formal risk mitigation and migration plan.

This is quite interesting – as we all know risk management is a key part of managing information security, and this latest decision resurrects the old debate about security vs. compliance: security is an everyday occurrence and compliance is check-box exercise.

In an ideal world, organisations should be practicing active information risk management anyway, identifying and evaluating new threats and putting mitigation strategies in place to deal with this – PCI:DSS should be a completeness check at the end, similar to Annex A in ISO27001.

As the major PCI breaches have clearly shown in the last year, compliance with the standard does not mean you are by definition secure.

So the message is clear (and to an extent it is starting to be re-iterated by the PCI SSC itself) – don’t rely purely on PCI compliance as an indicator of the robustness of your security posture.  Understand your environment and its weaknesses, keep your eye and ears open to new threats, and put mitigating controls in place to deal with threats that pose a real risk to your business, regardless if it is mandated by any standard.

The PSI:DSS standard is by nature static, despite all the efforts to maintain it on a regular basis.  Conversely security threats are very, very dynamic. Relying on the PCI compliance alone is like taking a knife to gun fight.  Ask Target.