Last month, the PCI Security Standards Council surprised many members of the retail industry by releasing an upgrade to its PCI DSS 3.0 legislation. Version 3.1 arrived much quicker than anticipated – why is this, and what does it mean for retailers? Kevin Burns, head of solution architecture at secure payments specialist Vodat International, explains.
The release of PCI DSS v3.1 caught a number of retail organisations off guard; most companies are still in the process of moving towards version 3.0, which came into force in January, and new updates tend to be released years – not months – in the future.
This urgency was caused, not least, by an exploit known as Padding Oracle On Downgraded Legacy Encryption (POODLE), enabling cybercriminals to extract data from secure HTTP connections. Its vulnerability first came to light late last year and the PCI Council has decided that SSL v3.0 is no longer secure, as the POODLE issue cannot be overcome with software patching.
The main aim of v3.1 is to get eCommerce sites updated to TLS, ideally TLS1.2, as this is the only known way to ensure that POODLE and other SSL related exploits remain secure. The impact for retailers is twofold; firstly they will need to complete the updates within their environment and, secondly, it will impact on customers as those with old browsers will need to upgrade to later versions. This may require some consumer education in the short term.
The v3.1 update is also designed to make payment Point Of Interaction devices (Chip and PIN terminals, ATMs, Point of Sale) less vulnerable – ensuring data is passed from the terminal or browser securely. This means retailers need to ensure their payment security is using TLS rather than SSL, again preference would be to use TLS1.2, although this will often be determined by which version the payment device manufacturer supports.
Upgrading remote terminals across a large distributed estate can be very time consuming and expensive if it involves engineering visits which is why, in part, I think the PCI SSC has provided a reasonable timeline for retailers to get ready for v3.1. In order to avoid major inconvenience, some retail businesses are now looking to a payment security system capable of making remote updates.
Before deciding which option is preferable for their business, it’s therefore important for retailers to understand the capabilities and vulnerabilities of their current security solution. I would urge companies to speak to their payment service provider as a matter of urgency, to understand where they lie on the journey to meeting PCI DSS 3.1 standards.
Ultimately, version 3.1 is a positive step forward, as it is making sure that payment device manufacturers support the latest security standards, but there’s a variation in how close hardware providers are to meeting this legislation, and the supporting security solution that safeguards data. Therefore, retail businesses should start by fully understanding their current situation – and then make a decision on the encryption technology that will best benefit their business in both the day-to-day running, and long-term fraud prevention strategy.
