Tag Archives: TLS

PCI Council Releases ‘Best Practices for Securing E-Commerce’

Is your organization accepting credit card transactions online? Are those transactions secure according to the Payment Card Industry’s (PCI) Data Security Standards? 66% of consumers warn they won’t purchase from an organization after they’ve had a breach of payment card information.

The PCI’s Security Standards Council released a guidance document to help educate merchants on securely accepting payment cards online. The updated guidance, Best Practices for Securing E-commerce, comes at a time when online payments are a top target for cyber criminals.

E-commerce is a growing security concern for merchants. Online sales growth is rapidly increasing, and the EMV chip migration in the U.S. is causing fewer in person card transactions. Cyber criminals recognize these trends and have turned their attention to e-commerce to commit payment card fraud.

Best Practices for Securing E-commerce

A large portion of the guidance is dedicated to the topic of SSL and TLS. There’s still confusion regarding these encryption solutions and properly selecting a certificate authority.

The PCI Council announced in December 2015 that all merchants accepting payment cards are required to adopt TLS 1.1 encryption or higher by June 2018. Google added to the urgency by warning users of their Chrome browser when they visit a website without HTTPS.

Key encryption topics discussed in the guidance include:

  • Guidance on selecting a certificate authority
  • Descriptions of different certificate types
  • Questions to ask service providers regarding certificates and encryption

Key Takeaway

The PCI Council is taking a proactive approach to the encryption issue with SSL and TLS. The implementation deadline is still a year away, but merchants that aren’t compliant can use this guidance to help securely accept online payments.

Another Transport Layer Vulnerability Discovered – Logjam

A team of computer scientists recently discovered a 20-year-old flaw in networks that rely on Transport Layer Security (TLS) – which they are now calling the “Logjam” vulnerability. The team has prepared fixes for the Logjam vulnerability, involving the use of the Diffie-Hellman cryptographic algorithm. According to the findings, 8 percent of the world’s 1 million most popular websites that use HTTPS are vulnerable to the Logjam flaw.

Technical Details

The Logjam vulnerability takes advantage of a flaw in TLS and attacks the Diffie-Hellman key exchange, which is fundamental to common protocols like HTTPS and SSH. These legacy encryption standards were imposed in the 1990’s by the US government, and Logjam tricks servers into using weaker 512-bit keys which can be decrypted easily. More technical details about the Diffie-Hellman flaw are available in this article.

This flaw is significant because it leaves web browsers vulnerable to attackers to intercept secure Internet traffic, eavesdrop on banking transactions, or hijack social media accounts. The Logjam research team warns that this flaw has likely been used by state-level groups, such as the National Security Agency, for attacks on virtual private networks (VPN).

Beware of Passive Decryption

State-level groups with proper funding can break more secure 1024-bit keys by compromising the most common prime numbers used in the key exchanges. This would leave 66 percent of the world’s VPNs vulnerable. Moving to stronger key exchange methods should be a priority.

To test whether your browser is vulnerable, visit weakdh.org.

PCI Council Publishes PCI DSS v.3.1

The PCI Security Standards Council (PCI SSC) has published PCI Data Security Standard (PCI DSS) Version 3.1 and supporting guidance (press release). The revision includes minor updates and clarifications, and addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.

The National Institute of Standards and Technology (NIST) identified SSL as not being acceptable for the protection of data due to inherent weaknesses within the protocol. Upgrading to a current, secure version of Transport Layer Security (TLS), the successor protocol to SSL, is the only known way to remediate these vulnerabilities, which have been exploited by browser attacks such as POODLE and BEAST. PCI DSS 3.1 updates requirements 2.2.3, 2.3, and 4.1 to remove SSL as an example of strong cryptography.