The Payment Card Industry Security Standards Council (PCI SSC) has announced that no version of secure sockets layer (SSL) technology meets its definition of "strong cryptography." Accordingly, it will need to revise its Data Security Standard and Payment Application Data Security Standards.
According to a PCI press release, the announcement was based on finding by the National Institute of Standards and Technology that the Secure Socket Layers v3.0 protocol is no longer acceptable for protection of data due to inherent weaknesses within the protocol.
With no known way to remediate vulnerabilities in the SSL protocol, the PCI SSC is urging organizations to work with IT departments and partners to determine whether they are using SSL and what options they have for upgrading to a strong cryptographic protocol as soon as possible.
Once published, PCI DSS v3.1 will be effective immediately, however, affected requirements will be future-dated to allow organizations time to implement the changes.
Ernie Schell is Director of consultancy Marketing Systems Analysis. He has over twenty years experience consulting with direct marketing, eCommerce, and fulfillment companies in specifying, selecting, and implementing order entry, fulfillment and eCommerce systems.
Ernie was Editor of Target Marketing from 1981 to 1983. Since founding his own consulting firm, he has contributed hundreds of articles and reviews to Catalog Age, Operations and Fulfillment, Target Marketing, Catalog Success, and Multichannel Merchant magazines. He is a regular speaker at the National Conference on Operations & Fulfillment, and makes presentations at numerous other business and marketing conferences in the US and the UK.