What do the new SSL and early TLS requirements mean for my file transfer solution?
Earlier this year we reminded you that Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) are no longer considered secure protocols. It’s because of the growing number of attacks and vulnerabilities, with online and e-commerce the area most at risk.
From 30th June 2018 organisations will need a more secure encryption protocol in order to safeguard payment data and meet the PCI DSS standard. With just over a week to go, we wanted to share these key points, so you can check you have everything in place and understand what it means for your file transfer solution.
What do I need to put in place?
Essentially, you need to have a secure alternative – both at the network layer and at the data protection layer – and disable any fallback to SSL or early TLS. Your two options are as follows:
1. Migrate to TLS 1.2
The PCI council make a clear recommendation that you transition to TLS 1.2:
“TLS 1.2 is considered secure and is the recommended option from the council.”
SSL and Early TLS Migration webinar, Feb 2018.
2. Compensatory controls
SSL and early TLS are not considered strong cryptography so they cannot be used as a security control for PCI DSS. You could add alternative security controls that remove the reliance on SSL and early TLS. Encryption would need to be in place to secure the transmission before it is sent using SSL or early TLS. Eg: at the application layer.
Exception for POI devices
This exception is in place because Point-of-Interaction (POI) terminals are not as susceptible to the vulnerabilities as browser based systems. If the device is built and configured in a way that’s not susceptible to the known vulnerabilities, it is possible to keep using it. You need to contact the vendor or support provider for that terminal, who can evidence this.
The device will still need up to date patches, must not use weak cipher suites or unapproved algorithms (eg: RC4 or MD5) and you must continually check that it hasn’t become susceptible to any new vulnerabilities. You should also have a migration plan in place that you can execute at short notice, should the device become susceptible. Any new devices should be configured to TLS 1.2.
You can find out more information on all the topics covered in this blog by watching the video from the PCI Security Standards Council.
What does this mean for my file transfer solution?
If you are running a file transfer solution and have kept it up to date, there is a good chance you won’t need any major changes. All the current versions from the main MFT vendors support TLS V1.2 and many default to only have TLS enabled.
Some products have PCI compliance scans built in, which will warn you if you are running SSL v3.0. It may not differentiate between TLS V1.0 and V1.2 though, so you will need to do a manual check. If you have a support contract with Pro2col, raise a support ticket and one of our technical consultants will find out if your solution is configured for TLS V1.2 or not.
If you are running an older version of your file transfer solution, you may need to upgrade. Again, Pro2col can advise on the process and our professional services team have experience getting out of date software up to the latest version.
If you are running an older SSL certificate built using 512-bit or 1024-bit key sizes, it is worth renewing it. The recommendation is now to use 2048-bit or greater.