The Channel logo

News

By | John Leyden 7th April 2015 08:22

E-commerce enterprises gently told to update those protocols ... or else

Response to Heartbleed, Shellshock, Poodle really kicks in

A revamp in payment card industry regulations due out later this month will penalise e-commerce enterprises that rely on outdated crypto protocols.

The PCI Security Standards Council updated standard – PCI DSS 3.1 – mandates that businesses move away from SSL onto more modern TLS protocols.

The council is introducing the changes in response to recent exploits (Heartbleed, Shellshock, Poodle) that take advantage of these security shortcomings of aging protocols, such as SSLv3.

The practical upshot is that e-commerce businesses need to make sure their web servers are configured to work with TLS, and turn off their SSL support, if they want to avoid increased payment processing charges in general or big fines if anything goes wrong.

Mobile commerce apps need to be updated for the same reason.

TLS is the evolution of SSL (both are encryption protocols) and that both use the same certificates for security, so most businesses will not need to get their trusted CA certificates reissued.

Michael Aminzade, Trustwave veep of global compliance and risk services, said the biggest challenge involves payment applications, since many of them use SSL to move payment transactions from the merchant to the processor.

Four in five companies still fail PCI compliance at their interim assessment, according to a recent study by Verizon, which found that only 28.6 per cent of companies were still fully compliant less than a year after successful validation.

The report is based on the results from thousands of PCI assessments run by consultants mostly on larger businesses, in 30 countries.

PCI 3.0 became mandatory for all businesses that store, process or transmit payment card information at the beginning of January. The revised standard includes requirements aimed at third party providers, as previously reported.

PCI DSS has been the established payment card industry standard since 2006. PCI has historically been criticised as simply offering a minimal security baseline, containing such advice as "use an antivirus" and "protect cardholder data", rather than adopting a more risk-based or business-focused set of criteria.

Small shops can pass the regulations through self-assessment, but larger firms are obligated to hire independent Qualified Security Assessor to run independent audits. This is a very significant source of work for many security consultants. ®

comment icon Read 8 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'