“SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control after June 30, 2018.” – PCI Security Standards Council
The newest revision of the PCI Security Standards Council policy, PCI-DSS 3.1, establishes a new baseline for strong cryptography, specifically TLS (formerly SSL), required to secure payment card related traffic – TLS 1.2.
This change must be adopted by sites which handle payment card data no later than 30 June 2018. According to the PCI Council FAQ: "The successor protocol to SSL is TLS (Transport Layer Security) and its most current version as of this publication is TLS 1.2," according to the FAQ. "TLS 1.2 currently meets the PCI SSC definition of “strong cryptography”. While PCI is specific to payment card information, the PCI guidelines also are used by sites in general for security guidance.
No version of SSL (SSL 3.0 and earlier) is considered "strong cryptography" for the purposes of protecting customer data, but The World Aquaculture Society (WAS) has not supported SSL 3.0 since October 2014, due to the POODLE vulnerability. For WAS customers, the primary impact of PCI 3.1 is that TLS 1.0 and TLS 1.1 are also insufficient to secure payment card related traffic.
The PCI DSS v3.1 requirements directly affected are:
- Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons considered insecure.
- Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
- Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
Both TLS 1.0 and TLS 1.1 have known weaknesses which make them less than ideal for protecting information, although substantially stronger than SSL 3.0. TLS 1.0/TLS 1.1 are widely used today, protecting a substantial fraction of encrypted web traffic. WAS is committed to the encrypted web while also ensuring sites are accessible to the greatest number of web browsers possible, so we intend to balance these concerns.
As a result of the PCI 3.1 changes, WAS has implemented a transition plan to migrate traffic toward TLS 1.2 in advance of the PCI Council requirements.
1) We are monitoring browsers and traffic to track the percentage of TLS 1.0+1.1 traffic relative to the total volume of encrypted traffic. In October 2014, this traffic was approximately 30% of all encrypted traffic on WAS's servers. As recently as September 2015 nearly 10% of the traffic on the was.org originated from Windows XP which is not capable of running a browser that supports TLS 1.2
2) We are now alerting users of insecure browsers and operating systems of the need to upgrade as soon as possible. Changes we will be implementing prior to the June 30, 2018 deadline will make was.org completely inaccessible to browsers that do not support TLS 1.2.
We expect the majority of encrypted web traffic will upgrade to TLS 1.2 before the 30 June 2018 deadline for PCI. We believe the level of adoption of TLS 1.2 will rapidly increase based on the new PCI guidance, and if this happens, it will be feasible for an increasing number of sites to go "TLS 1.2-only" as the 30 June 2018 deadline approaches. If the level of TLS 1.2 browser adoption is insufficient to allow customers to switch entirely to TLS 1.2-only by the deadline, we are exploring alternatives. We will release more information on TLS 1.2 adoption as well as any updates to the encryption options available to WAS customers on an ongoing basis.