Dara Security

Notice: PCI DSS and PA-DSS v3.1 Revisions Coming

January 30, 2015

In a notification to QSAs and ASV providers, the PCI SSC announced that in order to address a few minor updates, clarifications, and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol.

In short, because of the publically released vulnerabilities with SSL, no version of SSL meets PCI SSC's definition of "strong cryptography." The PCI SSC will issue updates to the standards to address this. In the near future, this will mean that if a payment application or website solely supports SSL for transmission of cardholder data, it will not meet PCI DSS or PA DSS requirements.

The PCI SSC is working with industry stakeholders to determine the impact and the best way to address the issue. While they do not have the final publication date, their goal is to keep the community apprised of the progress and to provide advanced notification for these pending changes. They are also preparing several FAQs that will accompany the release of the revised standards.

Over the last 60 days, the PCI SSC has inquired with Dara Security regarding several PA DSS submissions that indicated a payment application supports SSLv3.0, what application vendors are doing to address the issues with SSL, and what we are advising them. In short, our advice to our payment vendors has been to ensure they support TLS version 1.2, if they do not already, and to disable SSL support if it will not impact their certification with their various payment gateway/processor platforms.