Data breaches have continued to plague the private sector in the United States, while a massive rate of exposed information has been traced back to transaction processing procedures in retail that were not properly protected. Security must be a high priority for virtually all organizations moving forward, but those that handle financial data need to be especially careful and ensure that not only is PCI DSS compliance met in stride, but additional steps are taken to further improve the integrity of digital information.
As a note, PCI DSS has been refined several times in the past few years, as regulators and industry leaders work to strengthen the overall security of payment data despite the rapidly evolving methods of payment that many have embraced. Retailers, payment processors, banks and others need to ensure that they are keeping up with the progression of compliance, as failure to do so can quickly lead to headaches, fines, litigation and other disruptive prospects.
A recent eWEEK article explained some of the key changes involved in the release of PCI DSS version 3.1, which was released halfway through April and demands an industry change from the otherwise popular Secure Sockets Layer utilization. According to the news provider, although the council responsible for maintaining these standards tends to release major updates every three years, it will enact smaller refinements when necessary, and SSL proved to put the standing PCI DSS standards in question.
Additionally, eWEEK affirmed that flaws in the encryption within SSL were leading to too many issues, which is why the council demanded retailers and others begin to move away from it.
"In this case, the Secure Sockets Layer protocol is broken, and unlike many of the vulnerabilities we see out there, there's no patch to fix it," PCI Security Standards Council Chief Technology Officer Troy Leach explained in an interview with the news provider. "This, combined with its widespread use, makes it a critical vulnerability and one that organizations need to address immediately."
Any entity that is covered by PCI DSS needs to be in-the-know about changes, but must also maintain a certain level of flexibility when handling the relevant strategies to swiftly adjust as needed. Without this agility, necessary changes to protocols will likely be far more disruptive and the firm could end up facing otherwise avoidable fines and penalties for non-compliance with the statutes.
Contact Datacap to learn more about the move from SSL to TLS encryption.