Page 34 - GS180302
P. 34
CoverStory
cardholder data environments (CDEs), whereas in version 3.1 the requirement years. TLS 1.3 is currently being test-
applied to remote access only. It also enforces stricter controls for documenting, ed in the market. The PCI SSC started
tracking and managing changes to CDEs. encouraging organizations to switch
protocols in 2015, shortly after the
One company working to eliminate system vulnerabilities is Conformance National Institute of Standards and
Technologies LLC. The firm offers full-system penetration tests through its Cy- Technology issued a warning that the
ber Attack Readiness ToolKit. "Our numbers are, with our penetration test, that SSL protocol was no longer reliable.
in 100 percent of the tests we've done, we've been able to break into the mer-
chant system," said Darrel Anderson, President of Conformance Technologies. "The most notable vulnerability was
"We find vulnerabilities that would allow a hacker to get in, 94 percent of the called POODLE (Padding Oracle On
time we find credit card numbers." Downgraded Legacy Encryption),"
Leach said. "Not only was it able to
To prevent system vulnerabilities down the road, Conformance Technologies break down the protocol, you could
automates compliance processes with its PCI ToolKit, which features online not detect it, if successfully launched.
calendaring system reminders for system checks and a policy generator mer- You could think that you had a se-
chants can use for training. Its InConRadar (Internet Content Radar) monitors cure encrypted channel, and in the
merchant websites in real time for suspected illegal activities, catching some middle, what we call a man-in-the-
merchants unaware. middle attack, they could decrypt
that information, steal it, re-encrypt
Another PCI compliance requirement mandates that as of July 1, 2018, orga- it, and neither the sender nor the re-
nizations must migrate from Secure Sockets Layer (SSL) and early Transport ceiver would know that there was a
Layer Security (TLS) data encryption and authentication protocols to the more compromise."
secure TLS version 1.2. Certain POI (Point of Interaction) terminals have been
exempted from this requirement. The protocol change for organiza-
tions with larger infrastructures and
Many consider this security requirement long overdue, since SSL is based on a older technology has proven chal-
22-year-old technology and its replacement, TLS 1.2, has been available for 10 lenging for some, but for smaller mer-
chants with modern web-browsers
the transition has produced less fric-
tion, Leach noted. To assist with the
protocol migration, the PCI SSC of-
fers several resources on its website,
including a webinar and the seven-
page Information Supplement: Migrat-
ing from SSL and Early TLS.
Cross-industry collaboration
In February 2018, the PCI SSC and
Accredited Standards Committee X9
Inc. (ASC X9), an ANSI-accredited
organization that manages approxi-
mately 100 domestic and 58 interna-
tional standards for the financial ser-
vices industry, joined forces to create
a unified PIN Security Standard. The
organizations currently maintain
separate PIN security standards: the
PCI PIN Security Standard and X9
TR39 PIN Standard.
Consolidation of the two standards
will simplify efforts for organiza-
tions subject to both standards. "Both
standards are used for auditing the
networks, and the auditors have to
be trained and certified to be able to
audit to one or both of the standards,"
said Steve Stevens, Executive Direc-
tor for the ASC X9.
34
