SSL Certificates and PCI Compliance
The proper use of SSL certificates is only a small part of the PCI (Payment Card Industry) requirements but it is an important one. Other requirements include security assessments and ASV scans, and depend on the number of credit card transactions your company processes. SSL allows you to protect customer data as it is being transmitted to and from the web server. If you don't properly set-up your web server to use SSL certificates, you can't meet the PCI standards that are required to accept credit cards on your site. We have previously discussed whether the PCI standards are really effective in protecting consumer information and identity and we've found that, while not perfect, they are helping to make credit card transactions more secure.
Tim Callan from VeriSign recently gave an informative webcast about SSL Certificates and PCI Compliance. Among other things he brought up the following points:
- PCI requires adequate encryption of credit card holder information while being transmitted
- At least 128-bit encryption must be used
- Phishing is a growing problem in ecommerce
- SGC Certificates are recommended so that an extra 0.3% of potential visitors (using really old browsers like Internet Explorer 5) can access your site. SSL Shopper disagrees that SGC Certificates should be used because it encourages people to use old browsers that have a host of other security problems. The responsible thing to do is to use a normal SSL Certificate (which usually costs much less than an SGC certificate) and require 128-bit encryption on the web server. The 0.3% of visitors using vulnerable web browsers should be encouraged to upgrade their browser so they can avoid other security problems.
- You need to make sure the server is set up so that weak encryption rates (40-bit, 56-bit) aren't used.
- EV certificates, which aren't specifically required by the PCI standards, can help deter phishing and increase the number of people who purchase from you.
The PCI Standards specifically state the following about SSL:
Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or
received over open, public networks
- Verify that strong encryption is used during data transmission
- For SSL implementations:
- Verify that the server supports the latest patched versions.
- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).
- Verify that no cardholder data is required when HTTPS does not appear in the URL.
- Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.
- Verify that only trusted SSL/TLS keys/certificates are accepted.
- Verify that the proper encryption strength is implemented for the encryption methodology in use.
(Check vendor recommendations/best practices.)
The full PCI Standards can be viewed here.
Originally posted on Sun Nov 30, 2008