Tag Archives: SSL

PCI Council Releases ‘Best Practices for Securing E-Commerce’

Is your organization accepting credit card transactions online? Are those transactions secure according to the Payment Card Industry’s (PCI) Data Security Standards? 66% of consumers warn they won’t purchase from an organization after they’ve had a breach of payment card information.

The PCI’s Security Standards Council released a guidance document to help educate merchants on securely accepting payment cards online. The updated guidance, Best Practices for Securing E-commerce, comes at a time when online payments are a top target for cyber criminals.

E-commerce is a growing security concern for merchants. Online sales growth is rapidly increasing, and the EMV chip migration in the U.S. is causing fewer in person card transactions. Cyber criminals recognize these trends and have turned their attention to e-commerce to commit payment card fraud.

Best Practices for Securing E-commerce

A large portion of the guidance is dedicated to the topic of SSL and TLS. There’s still confusion regarding these encryption solutions and properly selecting a certificate authority.

The PCI Council announced in December 2015 that all merchants accepting payment cards are required to adopt TLS 1.1 encryption or higher by June 2018. Google added to the urgency by warning users of their Chrome browser when they visit a website without HTTPS.

Key encryption topics discussed in the guidance include:

  • Guidance on selecting a certificate authority
  • Descriptions of different certificate types
  • Questions to ask service providers regarding certificates and encryption

Key Takeaway

The PCI Council is taking a proactive approach to the encryption issue with SSL and TLS. The implementation deadline is still a year away, but merchants that aren’t compliant can use this guidance to help securely accept online payments.

PCI Council Publishes PCI DSS v.3.1

The PCI Security Standards Council (PCI SSC) has published PCI Data Security Standard (PCI DSS) Version 3.1 and supporting guidance (press release). The revision includes minor updates and clarifications, and addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.

The National Institute of Standards and Technology (NIST) identified SSL as not being acceptable for the protection of data due to inherent weaknesses within the protocol. Upgrading to a current, secure version of Transport Layer Security (TLS), the successor protocol to SSL, is the only known way to remediate these vulnerabilities, which have been exploited by browser attacks such as POODLE and BEAST. PCI DSS 3.1 updates requirements 2.2.3, 2.3, and 4.1 to remove SSL as an example of strong cryptography.

OpenSSL Patch Plugs Severe Security Vulnerabilities

OpenSSL, a software deployed by many organizations to encrypt online communications, released new versions to fix several “high” severity security vulnerabilities. OpenSSL implements Secure Sockets Layer (SSL) encryption for websites to protect data from being read by eavesdroppers.

The high severity issues addressed in the updates is a bug that can be exploited in Denial of Service (DoS) attacks.

Version Updates:

  • OpenSSL 1.0.2 users should be upgraded to 1.0.2a
  • OpenSSL 1.0.1 users should be upgraded to 1.0.1k
  • OpenSSL 1.0.0 users should be upgraded to 1.0.0p
  • OpenSSL 0.9.8 users should be upgraded to 0.9.8zd

Best Practices:

  • Apply recommended updates to vulnerable systems
  • Remind users about the dangers with links in emails, attachments, and from untrusted sources