The Payment Card Industry Data Security Standard (PCI DSS) outlines specific requirements for the use of SSL/TLS certificates to ensure the secure transmission of cardholder data over open, public networks. Key requirements include:
-
Use of Strong Cryptography and Secure Protocols: PCI DSS mandates the implementation of strong cryptography and security protocols to safeguard sensitive information during transmission. Notably, SSL and early versions of TLS (such as TLS 1.0 and 1.1) are not considered strong cryptography due to known vulnerabilities. Organizations are advised to use TLS 1.2 or higher to ensure compliance.
-
Validation of Certificates: Certificates used to protect cardholder data must be valid, not expired, and not revoked. This ensures that the encryption mechanisms in place are trustworthy and effective.
-
Inventory of Trusted Keys and Certificates: Maintaining an up-to-date inventory of all trusted keys and certificates is required. This practice aids in tracking algorithms, protocols, key strengths, custodians, and expiration dates, enabling prompt responses to vulnerabilities discovered in encryption software or cryptographic algorithms.
-
Documentation and Review of Cryptographic Suites and Protocols: Organizations must document and annually review the cryptographic cipher suites and protocols they utilize. This process ensures that only secure configurations are in use, and helps in identifying and mitigating potential weaknesses.
-
Restriction of Weak Protocols and Cipher Suites: The use of weak protocols and cipher suites is prohibited. Organizations should configure their systems to prevent fallback to, or use of, insecure versions, algorithms, key sizes, or implementations.
By adhering to these requirements, organizations can effectively protect payment data in transit and maintain PCI DSS compliance.
