Executive Insight: Warning for SSLv3 and Some TLS Users
By Stephen Ames, CISA, CISSP – Senior Director, Security Compliance, Shift4 Corporation
As you already know, we at Shift4 are fanatics about having the strongest security possible which is why we build security into everything we do from the ground up. More than a year ago, we eradicated SSL and early TLS from anywhere it remained in our environment; however, we’ve still been supporting these protocols for a small number of merchants.Our goal is to turn off support for SSLv3 and early versions of TLS as soon as possible, but no later than March 31, 2017. This means that if you are using SSLv3 or TLS version 1.1 or older, you need to update your setup. Here’s why – and how.
Are You Still Using SSLv3, Early TLS?
When the PCI Data Security Standard (DSS) version 3.1 was released back in April 2015, the PCI SSC decreed that SSLv3 and early versions of TLS are no longer considered strong encryption for the transport of cardholder data over public networks or for non-console administrative access to your cardholder data environment (CDE). This means that if you’re still using SSLv3 and early versions of TLS as of June 30, 2016, your CDE may be non-compliant with PCI DSS – not to mention the fact that your payment security operations will be at risk.
The PCI SSC revised their standing on these protocols in April 2016 when they released PCI DSS version 3.2, which offered the following conditions for continued use of SSL and early TLS:
- You may continue using SSLv3 and early versions of TLS until June 30, 2018, but you must maintain a formal Risk Mitigation and Migration Plan.
- You may continue using SSLv3 and early versions of TLS for your card-present point-of-sale terminals beyond June 30, 2018, if it can be verified they are not susceptible to any known exploits for SSLv3 and early versions of TLS. You must also maintain a formal Risk Mitigation and Migration Plan.
- Any new installations in your CDE may never use SSLv3 or early versions of TLS.
What Are SSLv3 and Early TLS?
SSL, or Secure Sockets Layer, refers to a type of encryption that was once used to secure communications between a user’s web browser and a website in order to protect transmitted data from eavesdropping or tampering. Early TLS, or Transport Layer Security, refers to versions 1.0 and 1.1, themselves 17- and 10-year-old protocols, respectively – ancient by IT terms. They’re also deemed insecure by the PCI SSC and the National Institute of Standards and Technology. Indeed, some scary TLS exploits can be found at the Common Vulnerabilities and Exposures website.
Most DOLLARS ON THE NET Users Don’t Need to Worry
Fortunately, most cardholder data destined for our DOLLARS ON THE NET® payment gateway is transported by the Universal Transaction Gateway® (UTG®), which uses PCI-defined strong cryptography to encrypt data at the packet level and is required for all of our e-commerce, point-of-sale, and property management system integrations. The UTG also uses Derived Unique Key Per Transaction with Moving Target Encryption (DUKPT w/MTE) – our proprietary encryption methodology that delivers the fastest and most secure payment processing in the industry – to transfer data over private, high-speed leased lines. (You can read all about it here.)
This means that there are only two areas of concern with SSLv3 and early versions of TLS that remain at Shift4: older browser connections and server-to-server connections to DOLLARS ON THE NET and i4Go®.
- Browser Connections: Chances are you are already using a modern browser that supports TLS v1.2. All major browsers (Chrome, Firefox, Internet Explorer, Opera, and Safari) now support TLS v1.2 by default. If this is the case, that’s great. Just be sure that you’re running the most current version of your browser and keep it updated with the latest patches. If not, you can update your browser using the links available on our website.
- Server-to-Server Connections: If you have a server-to-server interface to DOLLARS ON THE NET and/or i4Go, you should check to make sure that the negotiated HTTPS sessions are using the PCI-approved version of TLS v1.2, which is defined in RFC 5246. If the HTTPS sessions are not using TLS v1.2, you will be required to maintain a Risk Mitigation and Migration Plan for the PCI DSS until you migrate to TLS v1.2. (See PCI DSS v3.2, Requirement 4.1 and Appendix A2.) You should also contact Shift4 Customer Support for guidance.
To help make sense of all this, the PCI SSC released Migrating from SSL and Early TLS in April 2016.
If you are still running SSLv3 or early versions of TLS, you should contact Shift4 Customer Support at 702.597.2480 (option 2) or firstname.lastname@example.org, for guidance. And, of course, if you’re not already, you should consider using True P2PE™ with EMV to encrypt all transactions at the point of swipe or insertion to ensure that your payments are as secure as they can be.