The PCI Security Standards Council has just published a new version of the Payment Card Industry Data Security Standard that calls for ending the use of the outdated Secure Sockets Layer encryption protocol that can put payment data at risk. What must security leaders know about PCI 3.1 and its supporting guidance? Troy Leach of the PCI Council offers insights.
The reality about PCI version 3.1? It primarily boils down to removing one cryptography example three times from the published standard. But that small step indeed signals a giant leap forward in payment card security.
The new guidance removes the Secure Socket Layer encryption protocol, and early versions of Transport Layer Security, as examples of strong cryptography, and calls for use of a current, secure version of TLS.
It's unusual for the PCI Council to issue a mid-year update, but this one is critical, Leach says.
"We recognize that since the last time we published our standard in November of 2013, NIST and other subject matter experts have come out and said that the [SSL] protocol itself has been deprecated," Leach says. "So, we recognized that there was a need to move away from that example."
The PCI Council is giving covered entities until June of 2016 to complete the migration, and Leach encourages these organizations to start their risk assessment process now.
"We're asking the community to have the due diligence to do proper risk management of the situation, make an assessment of whether they are at risk, and then make their strategy progressive, so that they identify the top risks first, eliminate those, and then move forward," Leach says.
In an exclusive interview about PCI DSS 3.1, Leach discusses:
- Why this update is so critical;
- How merchants and card issuers must respond;
- What's necessary to comply before 2016 deadline.
Leach also will be discussing PCI DSS version 3.1 at RSA Conference 2015 in San Francisco.
In his role as CTO and lead security standards architect for the PCI Council, Leach has developed and implemented a comprehensive quality assurance program. Before joining the council, he led the incident response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.