As a business manager you always need to have a fair mix of ‘can do’ and ‘don’t do that’ in your repertoire. But when it comes to the countdown at the PCI Security Standards Council located at www.pcisecuritystandards.org your business is at risk, and it is time to ‘can do’, even if you don’t process credit card information.
The early protocols used to secure commercial payments and sales communications are now depreciated, but your development teams and sales and marketing teams may be delaying replacing them, for significant business reasons that you will now need to get involved in.
From a development point of view, nobody likes to go back to redo old work, but that is what the depreciation of SSL/early TLS entails. You will need to schedule a week or two of security work, in order for your development team to address this issue. This means delaying your current production schedule by a week or two. It can no longer be avoided, if your organization is supporting or worse driving customers to use SSL/early TLS you could easily be held responsible for your customer losing their identity, or on some other way harmed by the faulty service you are requiring them to use.
This is one case where the PCI Security Standards Council is giving notice to your Legal Counsel that much like The Montrose case your organization will be held liable for the loss of your customers and consumers data. Don’t know about the Montrose, no problem, talk to you Legal Counsel they’ll be glad to wax eloquently about it for you. In the meantime know this, because of the burden of getting rid of SSL and Early/TLS from your commercial systems, your organization probably hasn’t done it yet.
From a marketing and sales perspective, your organization has probably nixed the idea because some of your customers will then not be able to get to your website or communicate with you through that old app you wrote four years ago. Without a strong risk assessment report, and good north south communications, a subordinate somewhere within your organization probably made the business decision not to comply with this upcoming PCI Security Standards DSS deadline.
Again, let me mention, that even if you don’t process credit cards your organization will be successfully litigated against if you fail to perform your due diligence on this issue. This is not a drill, it is time for you to get directly involved with this information security matter and ensure that;
- Your software only communicates via TLSv1.2 or above (or some similar level of encryption)
- You do not accept communications of lesser standards for ‘backwards compatibility’
- Sales and Marketing have not nixed the idea of meeting this security requirement because ‘they don’t want to discomfort their customers’.
- The development team has the time necessary to address this issue, make this a number one priority.
From time to time a security standards body identifies an issue that affects everybody, even if they are not strictly in the scope of that bodies purview. This is one of those times, and thus it is time to provide direction to your organization. If your organization has not yet met this challenge, it is time to provide the can do resources your organization needs to meet this deadline.
ticle by John Barchie, Senior Fellow, Arrakis Consulting
About the Author
John Barchie, Senior Fellow at Arrakis Consulting, which specializes in PCI Security Standards and GDPR compliance, has twenty years of experience in computer networking, particularly Information Technology and Cyber Security. The majority of his career has been spent developing security protocols for Silicon Valley corporations including Symantec, Paypal, PG&E, KPMG and OpenSky. He has completed security projects for Sony PlayStation and NASA. For more information, visit www.arrakisconsulting.com.