PCI 3.1 : Why so Quick

PCI Security Standards Council was created in 2006 to protect organizations and their customers from fraud. PCI compliance is a nationwide standard that all organizations that collect, exchange, and process must follow in order to be secure. Typically PCI compliance is updated once every three years. PCI 3.0 went into full effect in Jan 2015 so how come PCI 3.1 was rushed out so quickly? Although there were a few clarifications changes the main reason for this rush was a vulnerability found in SSL 3.0.

SSL(Secure Socket Layer) certificates are essential in the data encryption process making internet transactions secure. Although there have been some vulnerabilities found in the past with earlier versions and even though we currently don’t use SSL 3.0 the vulnerability found had to be addressed immediately, due to an attack against the SSL 3.0 protocol. SSL/TLS was designed to be backward compatible, which means if the highest level of security can not make a connection the program will work backward until it finds a match and can connect. The problem with this is an attack called POODLE( Padding Oracle On Downgrading Legacy Encryption) which attacks the flaw within the SSL protocol itself. Essentially if an attacker can prompt a secure connections failure the software will default back to SSL 3.0 which opens up new vulnerabilities that the attacker can use. For example, the individual who was able to force the failure can now attempt a new attack known as a man-in-the-middle attack by taking partial control of the user side of SSL and still have visibility of the ciphertext.

Based on the latest PCI 3.1 compliance standards all organizations which use SSL or early stages of TLS must have a plan in place for a formal risk migration and mitigation. Any new implementations must not use SSL anymore and must implement a new version of TLS or new technologies.