Time's up for SSL and early TLS

June 30, 2018, is the effective deadline for merchants to implement TLS 1.2, according to the PCI Security Standards Council (PCI SSC). The newer version of Transport Layer Security (TLS) is required for merchants with Internet-facing systems. The technology addresses flaws in previous security protocols, which include Secure Sockets Layer (SSL) and earlier iterations of TLS, the council stated. An April 2015 information supplement, titled Migrating from SSL and Early TLS, called SSL a 20-year-old technology, adding, "The time to migrate is now."

The PCI SSC has seen widespread man-in-the-middle attacks compromise large and small retailers. It urges merchants to upgrade to secure protocols and disable SSL and early TLS. "The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE," council researchers wrote. "SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol."

POODLE skirts

Mark Carl, CEO at Atlanta-based ControlScan Inc., said the POODLE vulnerability, initially identified in 2014, is a flaw in the SSL 3.0 protocol and not something a software patch can fix. "Businesses that are paying attention to data security trends should have already upgraded from outdated versions of SSL and TLS to a minimum of TLS 1.2," he stated. "It's important to stay on top of these changes, because the more time that passes with your business behind, the greater your vulnerability. You're basically a sitting duck." Ruston Miles, chief strategy officer, executive vice president and founder at Bluefin, said POODLE and other man-in-the-middle attacks exploit vulnerabilities in SSL and early TLS. Updating to TLS 1.2 is a critical requirement, not only for ecommerce merchants, but for any business with internet-facing technology, he added. "A lot of focus has been on online retailers that conduct ecommerce through shopping carts," he said. "However, the risks are also present for businesses that use web-based software in their physical offices."

Miles recommended implementing point-to-point encryption (P2PE) as a cost-effective way to protect data. Business owners can use the SSL sunset as an opportunity to increase security with P2PE, while easing their compliance workload, he said. For example, merchants who implement P2PE are eligible for a shorter version of the PCI SSC's Self-Assessment Questionnaire. The PCI P2PE SAQ has about 35 questions, compared with 150 questions on the PCI SAQ C-VT that many businesses have to complete.

"We have seen call centers and back-offices all over the country upgrade their web-based SaaS, ISV, or practice management software to support PCI P2PE (encrypted) keypads," he added. "These offices key the card data they receive in person, over the phone or through the mail into these inexpensive secure keypads."

Protect data in transit

Gary Glover, senior vice president, assessments at Orem, Utah-based SecurityMetrics, recommended the following actions for merchants using SSL or early TLS:

• Upgrade to a current, secure version of TLS configured to not accept fallback to SSL or early TLS.

• Encrypt data with strong cryptography before sending over SSL/early TLS (for example, use field-level or application-level encryption to encrypt the data prior to transmission)

• Set up a strongly encrypted session first (for example, IPsec tunnel), then send data over SSL within the secure tunnel

• Check firewall configurations to see if SSL can be blocked

• Check all application and system patches are up to date

• Check and monitor systems to ID suspicious activity that may indicate a security issue

Jen Stone, security analyst at SecurityMetrics, said merchants need to understand their responsibility does not end when data leaves their vicinity. The concept of man-in-the-middle attacks has been difficult for many merchants to grasp, she noted. "If I run a scan and find malware on your POS, that's a more tangible concept than if I find intercepted data between you and an intended endpoint," she said. "If you have a visitor who gets robbed, you can say I should have had better locks on the door, but if your visitor takes an Uber, you don't know if they're getting robbed. That conduit of transmission is harder to put your arms around."

Stone said the most common concerns among merchants who use outdated forms of SSL and TLS are related to time, resources, expenses and lost revenue. "Ecommerce merchants who target an older demographic tell us they may lose sales if they force older customers to use a higher form of security," she said. "From the perspective of a security analyst who sees exploits in the real world, these excuses need to go away."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.