Recent cyber-attacks on the protocol that has long secured Web connections and, more recently, payment applications are pushing the Payment Card Industry Security Standards Council to issue an update with strong implications for e-commerce sellers.
When the council delivers PCI 3.1 this month it will call for merchants to change the common Secure Socket Layer, or SSL, protocol between a server and client to a more secure version of Transport Layer Security, or TLS.
Payment processors and security vendors alike are trying to spread the word quickly to merchants, even before knowing exactly what PCI 3.1 will specifically require.
Attacks known as Heartbleed, Shellshock and Poodle have exposed the flaws in SSL. They forced the National Institute of Standards Technology, which establishes the federal government encryption standard, to decide that the protocol should no longer be considered strong cryptographic protection.
E-commerce merchants will need to configure Web servers to work with TLS and turn off support for SSL, while brick-and-mortar businesses may need to update their payment applications, said Don Brooks, senior security engineer for Chicago-based Trustwave.
Brick-and-mortar merchants need to check with their point of sale vendors about TLS changes, and likely could make that coding fix at the same they are undergoing EMV chip-card changes on their networks, Brooks said. Many U.S. merchants are in the process of upgrading terminals in preparation for the card networks' EMV deadline on Oct. 1, after which companies face a shift in fraud liability if they cannot accept EMV-chip cards.
"Merchants just have to engage with their app vendor to get documentation about what the risk is with their payment application to determine if they are safe," Brooks said. "For most vendors, this will not be a problem and should be a quick fix. But for some, there may be an issue to deal with, or a configuration change or coding a solution that could take some time."
All government systems moved to TLS 1.1 or higher because the earliest version also was vulnerable to attacks, Brooks said.
Early feedback from merchants indicates that some wrongly believe the certificates they use with the SSL protocol will no longer be viable, which would result in a significant change in how e-commerce would operate, Brooks said.
"Certificate" is the technical term for a package that contains encryption and identity information about a site's operator. Essentially, the certificate verifies the site operator and that the operator is the only entity that can read information from a site visitor.
"The certificates ride on top of the protocol, so the only change that needs to be made is just in how the servers and systems are configured to make sure they don't support older, non-secure cyphers," Brooks said.
The certificate "moves down a highway that is SSL 2.0 or a highway that is TLS 1.1 as the Web server looks to support all technology," he added.
While it is important to get the warning about PCI's pending update out to merchants, the protocol exposure has been troubling the industry for some time. It has made services like end-to-end encryption of data in transit and tokenization of data at rest popular options to complement EMV chip-card technology.
"The damage [from SSL] may already be done," said Ulf Mattsson, chief technology officer at data security provider Protegrity. "Though new software is inevitable, waiting for better software is not an option."
While a move to TLS 1.1 may resolve the server connection vulnerabilities for a time, it is far better for organizations to address "proactive security of the data itself," Mattsson said.
"By tokenizing or encrypting sensitive data at the point of creation or acquisition, it can be made useless to potential thieves, even in memory," Mattsson added.
Still, there is "no perfect answer to fix years of exposure," Mattsson said. Moving forward, merchants and other organizations need to adopt security solutions that can reduce the risk even if Web protocols are vulnerable.
Compared to SSL, the TLS protocol uses stronger encryption algorithms and has the ability to work on different ports. In its first version, TLS was used mostly as a setting in e-mail programs, but it serves a similar role in any client-server transaction.
The PCI Council is behind the protocol change "in a big way," said Al Pascual, senior analyst for Javelin Strategy & Research. Still, it is likely that new attacks will continue to prompt updates and changes to Web protocols, he added.
"The merchants have to make this upgrade," Pascual said. "When criminals compromise data at the point of sale after EMV is properly deployed, they can't use that data to make a counterfeit EMV card, so they will start focusing on breaching e-commerce merchants instead."