PCI Council: SSL Will No Longer Be Sufficient for E-Commerce

In the latest edition of the PCI Council’s Assessor Newsletter, the Council previewed a proposed change related to the use of Secure Socket Layer (SSL) protocol for encrypting communications between your website’s e-commerce shopping cart and your customers’ computers.

In talking about this proposed revision, which should be expected in version 3.1 of the PCI DSS and PA-DSS (version 3.0 is currently in effect), the newsletter said the following:

“In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and updates to the standards are needed to address this issue.” (emphasis added)

The newsletter goes on to state that the Council is currently working with industry stakeholders to determine the impact of this proposed change.  A date for the release of the new version has not yet been set but, in a bulletin published on February 13, the PCI Council said that the change, when made, will become effective immediately but will be “future-dated.”

The once widely popular SSL protocol has been widely criticized recently because of a number of inherent weakness.  The PCI bulletin references the NIST SP 800-52 guidelines related to the Transport Layer Security (TLS) protocol which may be a good indication that TLS is the lead contender to replace SSL.

In-house counsel and compliance professionals should take note of this pending change because it may necessitate changes to your organization’s website, which may require significant lead time, in order to remain compliant with your PCI DSS obligations.