PCI DSS 3.1 – Why the rush?

Version 3.0 of PCI DSS (Payment Card Industry Data Security Standard) was published in November of 2013 and become effective January of this year.

“The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”

I wrote a blog about PCI DSS 3.0 and full disk encryption just a few months ago, so I was a bit surprised to see PCI DSS 3.1 come out this April and be effective immediately. PCI DSS Version 3.0 was retired on 30 June 2015.

Two questions immediately came to mind:

Why did the PCI Security Standards Council (PCI SSC) roll out version 3.1 with such urgency?

And why was PCI DSS Version 3.0 was retired on 30 June 2015, after such a short in service life? Well it is all about SSL. PCI DSS 3.1 addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.

In short on Oct 14, 2014 NIST published CVE-2014-3566 vulnerability:

“The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.”

The key changes in PCI DSS 3.1 with respect to SSL are removing SSL as an example of a secure technology and updating the testing procedure to recognize all versions of SSL as examples of weak encryption. The newer version of SSL, TLS, should be used in place of SLL to protect data in motion from now on.

By the way WinMagic’s SecureDoc key management and full disk encryption software doesn’t use SSL; please ensure your Microsoft OS is patched and up to date and is not configured to allow SSL.

What is new in version 3.1 with respect to full disk encryption under Requirement 3: Protect stored cardholder data?

There is no new requirement impacting full disk encryption in PCI DSS 3.1. However, the requirements from 3.0 remain in effect, so organizations must be diligent. If they use encryption as a method to protect stored cardholder data, they should take care to deplore their encryption with proper authentication to achieve compliance, and the full protection that encryption can provide.

Previous Post
What’s the 411 on Windows 10?
Next Post
Self-Encrypting Drives and Their Use in Your Business

Related Posts

Hidden Benefits of Encryption for Legal Services

Lately we have noticed a growing interest for encryption and data security in the legal services industry. Legal services face a similar challenge as other verticals with the need to protect corporate assets being shared through multiple devices and portals.…
Read more

Keeping up with the Jones’

The evolution of technology goes at a breakneck pace. Whether it’s new products coming to market or updates to existing products – it’s a never-ending cycle. As a software company that supports multiple Operating Systems (OS), we’re no different and…
Read more

Security Measures to Think About

Everyone is weary of hackers and the damages that they can cause, as seen with the Heartbleed Bug and Shellshock Bash. But hacking attacks can also mean physical security breaches, as hackers do not always have to resort to intricate…

BitLocker Management

The never-ending torrent of high-profile data breaches encourages companies to evaluate security fundamentals. Among them is full-disk encryption (FDE), a security best practice that protects information on servers, laptops and other devices while they are at rest. (more…)
Read more

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.