The Channel logo


By | John Leyden 7th April 2015 08:22

E-commerce enterprises gently told to update those protocols ... or else

Response to Heartbleed, Shellshock, Poodle really kicks in

A revamp in payment card industry regulations due out later this month will penalise e-commerce enterprises that rely on outdated crypto protocols.

The PCI Security Standards Council updated standard – PCI DSS 3.1 – mandates that businesses move away from SSL onto more modern TLS protocols.

The council is introducing the changes in response to recent exploits (Heartbleed, Shellshock, Poodle) that take advantage of these security shortcomings of aging protocols, such as SSLv3.

The practical upshot is that e-commerce businesses need to make sure their web servers are configured to work with TLS, and turn off their SSL support, if they want to avoid increased payment processing charges in general or big fines if anything goes wrong.

Mobile commerce apps need to be updated for the same reason.

TLS is the evolution of SSL (both are encryption protocols) and that both use the same certificates for security, so most businesses will not need to get their trusted CA certificates reissued.

Michael Aminzade, Trustwave veep of global compliance and risk services, said the biggest challenge involves payment applications, since many of them use SSL to move payment transactions from the merchant to the processor.

Four in five companies still fail PCI compliance at their interim assessment, according to a recent study by Verizon, which found that only 28.6 per cent of companies were still fully compliant less than a year after successful validation.

The report is based on the results from thousands of PCI assessments run by consultants mostly on larger businesses, in 30 countries.

PCI 3.0 became mandatory for all businesses that store, process or transmit payment card information at the beginning of January. The revised standard includes requirements aimed at third party providers, as previously reported.

PCI DSS has been the established payment card industry standard since 2006. PCI has historically been criticised as simply offering a minimal security baseline, containing such advice as "use an antivirus" and "protect cardholder data", rather than adopting a more risk-based or business-focused set of criteria.

Small shops can pass the regulations through self-assessment, but larger firms are obligated to hire independent Qualified Security Assessor to run independent audits. This is a very significant source of work for many security consultants. ®

comment icon Read 8 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe