Call us on 03450 21 21 51

PCI DSS, Vulnerability Scans and the Trouble with SSL
The SRM Blog

PCI DSS, Vulnerability Scans and the Trouble with SSL


Written by SRM

11th April 2016

Share this article

With the PCI Council set to release version 3.2 of the PCI DSS imminently, the subject of migration away from weak session encryption protocols is becoming a hot topic. In December of 2015, the council extended the deadline for removal of SSL and TLS 1.0 from June 2016 to June 2018.

One of the potential pitfalls of this change is that the ASV  (Approved Scan Vendor) scans that are being run may identify high level SSL vulnerabilities, resulting in a failing ASV scan… where does this leave you?

Fortunately, the nice folks at the PCI Council have already identified that this may cause an issue and have published some guidelines to assist if you find yourself in the middle of the migration.

To help those who want to continue to support SSL and early TLS during the changeover period, (prior to June 30th 2018), the entity may provide their ASV a copy of their Migration Plan and Risk Mitigation measures. The ASV can then review this and enter an ‘exception’ in the appropriate section of the scan report.

After June 30th 2018, supporting SSL and early TLS is still feasible but not if it is a security control for a PCI related component. If the Webserver supports TLS 1.0 but a higher version is used for the payment card capture pages for instance, this could be discussed with the ASV and entered as an exception or False Positive.

In both cases, communication with the ASV is the key here. They have the expertise in identifying vulnerabilities and being able to remediate them too, so make sure that these points are discussed openly.

If these weak ciphers are supported now, then the risk mitigation and migration plan is a must. It is required for the PCI assessment and will also help greatly with the scanning, so talking to your QSA about how best to achieve this will be beneficial on both counts, (SRM have some templates that you can use to help get you off the ground with this activity).

The PCI council have put together a very informative and interesting supplement covering just this topic and anyone with queries on this subject should use this document for reference.

As a closing thought, the deadline for supporting weak ciphers has been extended to June 30th 2018 but this does not mean that you should park this issue until then. Updating to a more secure version of TLS now will protect your business and give a greater degree of confidence in the approach.

Back to top