Version 3.0 of PCI DSS (Payment Card Industry Data Security Standard) was published in November of 2013 and become effective January of this year.
“The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”
I wrote a blog about PCI DSS 3.0 and full disk encryption just a few months ago, so I was a bit surprised to see PCI DSS 3.1 come out this April and be effective immediately. PCI DSS Version 3.0 was retired on 30 June 2015.
Two questions immediately came to mind:
Why did the PCI Security Standards Council (PCI SSC) roll out version 3.1 with such urgency?
And why was PCI DSS Version 3.0 was retired on 30 June 2015, after such a short in service life? Well it is all about SSL. PCI DSS 3.1 addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.
In short on Oct 14, 2014 NIST published CVE-2014-3566 vulnerability:
“The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.”
The key changes in PCI DSS 3.1 with respect to SSL are removing SSL as an example of a secure technology and updating the testing procedure to recognize all versions of SSL as examples of weak encryption. The newer version of SSL, TLS, should be used in place of SLL to protect data in motion from now on.
What is new in version 3.1 with respect to full disk encryption under Requirement 3: Protect stored cardholder data?
There is no new requirement impacting full disk encryption in PCI DSS 3.1. However, the requirements from 3.0 remain in effect, so organizations must be diligent. If they use encryption as a method to protect stored cardholder data, they should take care to deplore their encryption with proper authentication to achieve compliance, and the full protection that encryption can provide.