Earlier this year, the PCI Security Standards Council released the PCI DSS 3.1 standard and many businesses already are scurrying to meet its demands, including retiring Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS). All of SSL and early TLS have been deemed vulnerable and therefore must be eliminated from your network. For organizations with custom Web sites or custom applications that utilize these older standards, this could be quite an undertaking.
While some businesses might be able to simply check a box to use newer code, others might have to modify affected applications. For instance, if a business uses SSL VPNs and has client agents deployed on remote laptops and mobile devices, they will need to upgrade to an acceptable version of TLS. The more devices deployed, the more a business needs a sound strategy to ensure compliance.
PCI DSS 3.1 has made it clear that merchants cannot roll out new applications with SSL or older TLS. However, if you have legacy Web sites or applications, the time is now to start to meet the June 30, 2016, deadline.
The key is identifying if you have this problem and how deep into the enterprise it extends. To hasten this part of the process, a third party can perform an assessment to uncover where SSL and early TLS exist on the network. Earthlink’s professional services staff can perform a vulnerability scan and share the findings through a comprehensive report and consultation. Businesses can use this report to begin to work with third-party vendors to close the identified gaps. Without a vulnerability scan, third-party vendors would have to waste time with testing and playing around in the environment to find insecurities.
For instance, if an application is hosted in the cloud and relies on SSL, businesses can work with the provider to home in on problematic areas and to understand how the software will react to new code.
In essence, Earthlink can help shortcut what a business and vendor will have to address to ensure compliance by the mandate’s deadline, providing cost and competitive advantages.
Interestingly, Earthlink is under the same demands and must assess our networks in the same way. We’ll be sharing what we learn with our professional services team, ensuring that customers get the best insight for PCI 3.1 compliance.
Have you gotten the ball rolling for PCI 3.1 yet? Let us know in the comments below.