To make it easier to identify systems that are out of compliance with the newly announced PCI DSS 3.1 requirements prohibiting SSL, Qualys is releasing a new detection for PCI compliance scans.
New PCI DSS Requirements
Back in February 2015, PCI SSC released a bulletin announcing that NIST no longer considers Secure Socket Layers (SSL) v3.0 protocol as acceptable for protecting data and that all versions of SSL versions do not meet the PCI definition of ‘strong cryptography.’ On March 25 PCI SSC released a PCI SSC FAQ with additional information on how SSL poses a risk to payment card data and how it impacts point-of-sale devices and web servers. The revised version of PCI DSS 3.1 will be published sometime this month, i.e. April.
Will PCI compliance scans fail immediately if SSL is found enabled?
The council has indicated that PCI DSS 3.1 will be effective immediately upon publication, but impacted requirements will have a sunset date to allow for organizations with affected systems to implement the changes. If you have not started migrating out of SSL 3.0 we strongly recommend that you start doing so as quickly as feasible and do not wait for the sunset date.
Should organizations migrate to TLS 1.1 or TLS 1.2?
The PCI council recommends that TLS 1.2 meets the PCI SSC definition of ‘strong cryptography’. But if upgrading to TLS 1.2 is not possible the council advises to upgrade to at least TLS 1.1.
How do the new requirements apply to web servers and POS systems?
Point-of-sale terminals, which include magnetic cards readers or chip card readers, use SSL to transmit data. The council considers these devices as lower priority risk, since exploiting known vulnerabilities in such environments is difficult. In some cases POS hardware may need replacement or firmware updates. But organizations that have web servers, browsers and similar software are not considered lower priority risk, and compliance must be managed in accordance to DSS requirements (like 6.1, 6.2, and 11.2).
New Qualys Detection for PCI DSS 3.1
Qualys plans to release a new detection later in April (available now), QID 38606, which will notify customers of the existence of SSLv3. In the current scan reports, it is already possible to identify the existence of SSL v2 through QID 38139, and it’s possible to identify the existence of SSL v3 from a combination of different QIDs. But having this new single QID to identify SSL v3 simplifies identification for administrators and increases their visibility into SSL versions in their systems.
If QID 38606 is detected, PCI scans will fail in accordance to the sunset date and other guidance in the upcoming PCI DSS and PA-DSS 3.1 documents. Additionally, Qualys is revising solution sections of SSL/TLS-related vulnerabilities to suggest solutions where TLS v1.1+ is preferred.