The Wakefield, Mass.-based PCI Security Standards Council (PCISSC) revised its Payment Application Data Security Standard(PA-DSS) to address vulnerabilities in encryption protocols thatprimarily affect web servers and browsers that drive paymentterminals.

PA-DSS 3.1 aligns with the recent release of PCI Data SecurityStandard 3.1, which primarily addressed vulnerabilities in theSecure Sockets Layer (SSL) encryption protocol that can put paymentdata at risk. With this revision and supporting guidance, theCouncil urges organizations to understand if and how their paymentapplications are using SSL and upgrade to a secure version ofTLS.

“The vulnerabilities are so concerning that the PCI SecurityStandards Council went against their standard release process andmade an interim change to the PA-DSS standard,” Brad Cyprus, chiefof security and compliance at the Houston-based Netsurion (formerlyVendorSafe), a provider of secure networks, said. “The life cyclefor the standards is supposed to be three years, but the issueswith SSL (and early TLS) were so great in the opinion of the PCISecurity Standards Council that they made this drastic move toaddress what they believed to be an immediate threat to the paymentlandscape.”

If exploited, the vulnerability can jeopardize payment-card data security. The only known way to remediate SSL vulnerabilitiesto POODLE and BEAST is to upgrading payment applications andsystems to a minimum of TLS 1.1 (the successor protocol toSSL).

POODLE (Padding Oracle On Downgraded Legacy Encryption) attackslet a man in the middle, such as a malicious Wi-Fi hotspot or acompromised ISP, to extract data from secure HTTP connections. TheBEAST (Browser Exploit Against SSL/TLS) attacks the confidentialityof a HTTPS connection in a short amount of time.

“The council works closely with the payment security communityon any changes made to the PCI Standards,” PCI SSC Chief TechnologyOfficer Troy Leach said. “This update falls in line with ourmission of pushing for the best security as soon as possible, whileempowering organizations to take a pragmatic, risk-based approachto protecting their data.”

There have been many vulnerabilities found in all versions ofSSL and early versions of TLS (which superseded SSL), Cypruspointed out. No patch or remediation can fix most issues. Inparticular, POODLE can intercept data transmitted via SSL or earlyTLS.

The primary change to PD-DSS, along with some housekeepingissues and clarifications, has to do with removing SSL and an earlyversion of TLS from the standard as examples of secure protocols.New installations are only supposed to use TLS 1.1 or 1.2 movingforward, and existing installations have until June 30, 2016 tomigrate to the new standard.

From an operations standpoint, this means that merchants, whohave software or payment terminals that use SSL/early TLS, mustupgrade the equipment to support later versions of TLS. In somecases, this will not be a simple matter, points out Cyprus.Merchants can determine their software upgrading needs in a fewways. Their POS resource will have to educate them and convincethem to spend the money on an upgrade within a year. Consideringthe millions of merchants who accept credit cards, this is aherculean task, he said.

Furthermore, explains Cyprus, some standalone payment terminals,which are completely hardware-based and have their operatingsystems written on their internal chips, might not be able tosupport SSL.

“Again the merchant may not have any way to determine if theirdevice is vulnerable or not,” Cyprus said. “This would once againrequire the merchant to be contacted by the person who supportstheir terminal, educate them on the change to the standard, andconvince them to spend the money to upgrade.”