PCI 3.1

Breaking Down PCI DSS Version 3.1

For those who are not tech driven, PCI DSS v3.1 can be very confusing.

Before tackling v3.1, the reader must first understand the basics of Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

SSL is a security protocol that is used on the Internet, and TLS is a broader security protocol that SSL fits into.  This encryption technology is shown on your browser by a “lock icon” and/or a green address bar” so that the user knows that they are visiting a site that has been secured by SSL.

Breaking it down further, SSL is a method to encrypt data that is sent from a web browser such as Internet Explorer or Chrome to a web server.   Web servers are computers with IP addresses that deliver HTTPS Web pages to the browser once you enter a site’s IP address or domain name.    Any computer is capable of becoming a web server by your installing specific software and connecting the computer to the Internet.

Without encryption, the information sent from the web browser to the web server can be intercepted by a hacker after it leaves the browser and before it meets the server.  This is commonly referred to as “man-in-the-middle” hacker attacks.   Although SSL and TLS have been widely used encryption protocols for years, SSL and early TLS have now been removed by the PCI Security Standards Council and can no longer be used as a security control after June 30, 2016.   Unfortunately, it took several high profile security breaches before the industry recognized that it needed to take this action by necessity.

As there are no fixes for this problem, what can a small merchant do?  Prior to June 30, 2016, merchants need to have a formal PCI DSS driven Risk Mitigation and Migration Plan in place to take care of existing implementations that use SSL and/or early TLS.   Be careful to see that any “new implementations” do not use SSL or early TLS.   Small merchants who depend on Point of Sale (POS)/ Point of Interaction (POI) terminals need to contact their terminal provider and or merchant bank to determine if their terminals are affected by the SSL vulnerability.  If the merchant is dealing with other than a POS environment e.g. virtual payment terminals, back-office servers, user computers – it is best to seek out qualified PCI specialists to seek upgrades where available.

Now that you have been given your primer, see the PCI DSS site at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf for more detailed information and instructions.