Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

SSL Certificates and PCI Compliance

The proper use of SSL certificates is only a small part of the PCI (Payment Card Industry) requirements but it is an important one. Other requirements include security assessments and ASV scans, and depend on the number of credit card transactions your company processes. SSL allows you to protect customer data as it is being transmitted to and from the web server. If you don't properly set-up your web server to use SSL certificates, you can't meet the PCI standards that are required to accept credit cards on your site. We have previously discussed whether the PCI standards are really effective in protecting consumer information and identity and we've found that, while not perfect, they are helping to make credit card transactions more secure.

Tim Callan from VeriSign recently gave an informative webcast about SSL Certificates and PCI Compliance. Among other things he brought up the following points:

  • PCI requires adequate encryption of credit card holder information while being transmitted
  • At least 128-bit encryption must be used
  • Phishing is a growing problem in ecommerce
  • SGC Certificates are recommended so that an extra 0.3% of potential visitors (using really old browsers like Internet Explorer 5) can access your site.  SSL Shopper disagrees that SGC Certificates should be used because it encourages people to use old browsers that have a host of other security problems. The responsible thing to do is to use a normal SSL Certificate (which usually costs much less than an SGC certificate) and require 128-bit encryption on the web server.  The 0.3% of visitors using vulnerable web browsers should be encouraged to upgrade their browser so they can avoid other security problems.
  • You need to make sure the server is set up so that weak encryption rates (40-bit, 56-bit) aren't used.
  • EV certificates, which aren't specifically required by the PCI standards, can help deter phishing and increase the number of people who purchase from you.

The PCI Standards specifically state the following about SSL:

Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or
received over open, public networks

  • Verify that strong encryption is used during data transmission
  • For SSL implementations:
    - Verify that the server supports the latest patched versions.
    - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).
    - Verify that no cardholder data is required when HTTPS does not appear in the URL.
  • Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.
  • Verify that only trusted SSL/TLS keys/certificates are accepted.
  • Verify that the proper encryption strength is implemented for the encryption methodology in use.
    (Check vendor recommendations/best practices.)

The full PCI Standards can be viewed here.

Originally posted on Sun Nov 30, 2008

Comments


Duane(2014-12-13)

hmmmm who ever comes up with these standards seems to base them more on theoretical attacks than real ones, most data escaping lately has been from trucks with tapes go missing, from databases cracked, from point of sale termininals infected with spyware and from phishing attacks which don't use SSL.

Thankfully the amount of in transit traffic nabbed is very mininal, otherwise the SSL industry would need to start paying off their insured certificates a lot more, which is why they insure them for silly amounts in the first place since it's all marketing, not real security.

Rinse and repeat. So umm yea, why is SSL certificates so specifically important again in the PCI equation exactly?

somebody somewhere(2014-12-23)

SSL certificates are a method of validating that an entity is who they say they are and that you're not connecting to joe schmoe's server in timbuktwo or being intercepted by a middle man.

On the part of SSLv3, it is no longer an acceptable encryption method. It has been dated for 20 years and is finally being phased out, most recently due to newfound exploits in SSLv3.

With everything else you stated, security has many venues and is typically applied in a layered approach. A lapse of judgement in one area does not constitute a lapse of judgement in others. Some vectors are more susceptible to attacks than others, that doesn't means you take the locks off the doors and put a first come first serve sign up in the entry way.

There are typically procedures and policies in place that employees are supposed to follow regarding data in transit. Obviously when these procedures aren't followed bad things happened as you stated above. Security is every ones responsibility.

mwnciboo(2017-01-18)

Although in reality, it's given every so called security company the ability to say "Hey we do PCI DSS and ASV" and then you get the Scan back, and they've mis-interpretted every single thing in the Data Security Standard. Every man and his dog thinks he can make money out of "CYBER".

Robert(2014-12-13)

"So umm yea, why is SSL certificates so specifically important again in the PCI equation exactly?"

Answer:

"The PCI Standards specifically state the following about SSL:

Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks."

david Page(2014-12-13)

you need to have ssl 3.0 and disable any older versions of ssl.

Advertisement • Hide