In April 2015 the PCI Security Standards Council (SSC) released PCI DSS v3.1 to address threats to SSL and early TLS protocols. This presentation highlights the key implications for businesses that collect payment data and how to migrate to PCI DSS v3.1

1. © 2016 Stickman Consulting Pty Ltd 1
PCI DSS Update
Key implications of PCI DSS v3.1
By Ajay Unni, CEO, Stickman Consulting
By Ajay Unni, CEO, Stickman

2. © 2016 Stickman Consulting Pty Ltd 2
Agenda
• Why PCI DSS v3.1
• Summary of PCI DSS v3.1
• How to know if your using SSL/early TLS
• What you should do if using SSL/early TLS
• Is your organisation using SSL/early TLS?
• Key implications for merchants
• Key implications for small merchants
• What should e-commerce websites do?
• Steps to migrate safely
• About Stickman
2

3. © 2016 Stickman Consulting Pty Ltd 3
Why PCI DSS v3.1?
• PCI DSS v3.1 was released in April 2015.
• Released early due to identified threats to
Secure Sockets Layer (SSL) and early Transport
Layer Security (TLS) protocols.
• POODLE browser attack and vulnerabilities like
FREAK and WinShock also expedited it’s
release.
3

4. © 2016 Stickman Consulting Pty Ltd 4
Why PCI DSS v3.1 cont’d
• SSL and early versions of TLS are no longer
considered strong encryption protocols to send
cardholder information between web servers
and browsers.
4

5. © 2016 Stickman Consulting Pty Ltd 5
Summary of PCI DSSv3.1
• Key requirements affected by PCI DSS v3.1 are:
– 2.2.3: Requires encryption for services and protocols
such as VPNs, FTP, Telnet and file share.
– 2.3: Requires encryption for non-console
administrative access.
– 4.1: Requires encryption and implementation of
security protocols to protect cardholder data during
transmission over open, public networks.
5

6. © 2016 Stickman Consulting Pty Ltd 6
How to know if your using SSL/early TLS?
• Contact your network vendor to determine what
version is being used.
• Conduct internal and external vulnerability scans
to identify any unsecured SSL-based
applications.
6

7. © 2016 Stickman Consulting Pty Ltd 7
What you should do if using SSL/early TLS
• Reconfigure and disable SSL 3.0 in your software by following
instructions from the vendor’s website or by getting help from online
forums and blogs.
• Upgrade by buying the latest software version from the vendor and
configure it for the latest version of TLS.
• Encrypt your data by using strong cryptography such as application
or field-level encryption before transmitting data over SSL/Early
TLS.
• Set up an encrypted session such as IPsec tunnel, and send the
data over SSL through the encrypted tunnel.
7

8. © 2016 Stickman Consulting Pty Ltd 8
Key implications for merchants
• Merchants cannot use SSL and early versions of TLS in
any new technology.
• SSL and TLS cannot be deployed as security controls for
cardholder data after 30 June 2016.
• Merchants with existing technology must implement a
risk mitigation and migration plan prior to 30 June 2016.
• POS terminals not exposed to vulnerabilities can be
used after 30 June 2016.
8

9. © 2016 Stickman Consulting Pty Ltd 9
Key actions for small merchants
• Small merchants must also eliminate SSL/early TLS
from their cardholder data environment.
• Assess security of Point of Sale terminals for SSL
vulnerability.
• Identify areas (servers, computers, POS terminals)
where SSL/early TLS is implemented and upgrade or
reconfigure prior to 30 June 2016.
9

10. © 2016 Stickman Consulting Pty Ltd 10
What should e-commerce websites do?
• Create a risk mitigation and migration plan.
• Before migration, reduce the number of servers
to avoid exposure to vulnerabilities.

11. © 2016 Stickman Consulting Pty Ltd 11
Steps to migrate safely
1. Identify data flows and system components that support vulnerable protocols.
2. Identify the business or technical need to use the vulnerable protocol for each
data flow or system component.
3. Remove all such occurrences of vulnerable protocols which are not supported
by a business or a technical need.
4. Identify which technologies can replace the protocols and also develop
complete documentation of secure configurations that are planned for
implementation.
5. Document the migration plan that outlines steps and timeframes of each update.
6. Deploy controls of risk reduction to counter the effect of known vulnerabilities till
all vulnerable protocols are permanently removed.
7. Follow the change control procedures to make sure that all updates are
authorised.
8. Upgrade system configuration standards after migration process is complete.
11

12. © 2016 Stickman Consulting Pty Ltd 12
Our clients

13. © 2016 Stickman Consulting Pty Ltd 13
The Payment Card
Industry Landscape

14. © 2016 Stickman Consulting Pty Ltd 14
12
months
cycle
Phase I
Assess
Phase II
Remedia
te
Phase III
Certify
Phase IV
Maintain
PCI Lifecycle Action Plan

15. © 2016 Stickman Consulting Pty Ltd 15
P: 1800 785 626
E: ajay.unni@stickman.com.au
www.stickman.com.au
Level 11, Suite 2,
210 George Street,
Sydney NSW 2000
Thank you!