By : Marnie Thorp
May 24, 2018 12:00 PM
The Payment Card Industry Security Standards Council (PCI SSC) works to protect sensitive cardholder data by maintaining card industry standards, collaborating with financial institutions (FIs), merchants and point-of-sale (POS) vendors, as well as hardware and software developers that help to create the global infrastructure for processing payments.
One of the ways the PCI SSC supports the highest levels of security and responds to threats is through the Data Security Standard (DSS), which was established to combat card fraud and help businesses process transactions securely.
All payment processors, including ATM deployers, have a responsibility to stay in compliance with PCI DSS, which means being aware of any changes in the standard.
As NCR will explore in an upcoming webinar, ensuring ongoing compliance requires FIs to be aware of a significant change.
The forthcoming change to PCI DSS involves a migration away from Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) cryptographic protocols for the transmission of payment data. The deadline for this move is June 30, 2018, meaning organizations should already be working to ensure they are no longer using SSL/early TLS.
A formal migration and risk mitigation plan should be created for existing systems that currently use SSL/early TLS, which will need to be upgraded to the TLS v1.2 protocol or higher as soon as possible.
From June 30 on, all organizations involved in handling or processing sensitive payment data must have stopped using SSL/early TLS as a security control, and should disable any fallback on these now defunct protocols.
This is the culmination of a process that began with the publication of PCI DSS v3.1 in April, which set a June 2016 deadline for disabling SSL/early TLS. Industry feedback led to a decision by the PCI SSC in December 2015 to push back the migration deadline from June 30, 2016 to June 30, 2018.
Formerly used to enable secure communications between two systems, SSL/early TLS are no longer considered reliable forms of encryption for payment data.
It is important that security standards continually evolve, in response to flaws and loopholes that become apparent over time. In the case of SSL, one of the protocol's biggest weaknesses is its proneness to 'man-in-the-middle' attacks, whereby attackers place themselves between the organization and the end user, and impersonate one of the parties to intercept sensitive data.
The widespread use of SSL/early TLS online has highlighted a number of specific vulnerabilities with these encryption methods, such as the Poodle man-in-the-middle exploit and the Heartbleed bug.
The move away from SSL/early TLS for PCI DSS compliance has wide-ranging relevance for all sorts of payments and transactions. It encompasses processes such as ATM deposits and check image processing as well as ecommerce sales and card-present POS purchases.
It's therefore vital for FIs to ensure that all their systems involved in the handling and transmission of payment data are using the TLS 1.2 protocol or higher.
Implementing dedicated solutions such as NCR's APTRA Passport for ATM imaging and Transaction Gateway for the secure collection of remote deposits can offer security and peace of mind for your organization and its customers.
FIs that are equipped with this sort of cutting-edge technology can be assured that they are doing everything in their power to keep sensitive data safe and staying in full compliance with PCI DSS.