On January 30, 2015, QSAs received the latest edition of the Council’s Assessor Newsletter. Buried in that edition was the following statement.
“Notice: PCI DSS and PA-DSS v3.1 Revisions Coming
In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and updates to the standards are needed to address this issue. (Highlighting emphasis added by the PCI Guru)
We are working with industry stakeholders to determine the impact and the best way to address the issue. While we do not have the final publication date, our goal is to keep you apprised of the progress and to provide you with advanced notification for these pending changes. We are also preparing several FAQs that will accompany release of the revised standards.
Should you have any questions, please contact your Program Manager.”
Because the announcement was titled about the coming v3.1 revisions to the PCI DSS and PA-DSS standards, I am sure a lot of QSAs missed this pronouncement.
Not that this should be a surprise to any QSA as the POODLE vulnerability effectively killed SSL. The Council has now officially announced that SSL is no longer deemed to be strong cryptography.
Therefore, those of you still using SSL to secure transmissions containing cardholder data (CHD) need to stop that practice as soon as possible and convert to TLS or IPSec.
UPDATE: On February 13, 2015, the PCI SSC issued an update to their original announcement in the Assessor Newsletter.
