Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

SSL and TLS 1.0 No Longer Acceptable for PCI Compliance

1 min read
Last updated June 16, 2023

In April of 2016, the PCI Council released version 3.1 of their Data Security Standard (DSS). While most of the changes in this minor release are clarifications, there is at least one significant update involving secure communication protocols. The Council has decided that SSL and TLS 1.0 can no longer be used after June 30, 2016.

The fine print about these two protocols can be found under DSS Requirement 2.0: “Do not use vendor-supplied defaults for system passwords and other security parameters”.

I guess the ancient Netscape-developed SSL (Secure Socket Layer) and TLS (Transport Layer Security) are considered other security parameters. (We’ve got an article dedicated to the difference between SSL & TLS, if you’re curious.)

RIP SSL

In any case, the Council is responding to the well-known POODLE exploit in SSL as well as NIST’s recent conclusions about SSL. As of April 2014, they proclaimed that SSL is not approved for use in protecting Federal information.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

Unfortunately, you’ll need a brief history lesson to understand the role of TLS.

Developed in the 1990s by the IETF folks, TLS version 1.0 was based heavily on SSL and designed to solve compatibility issues—a single, non-proprietary security solution. Then a series of cryptographic improvements were made for TLS 1.1 and the current 1.2.

One key point is that TLS implementations support a downgrade negotiation process whereby the client and server can agree on the weaker SSL protocol even if they opened the exchange at the latest and greatest TLS 1.2.

Because of this downgrade mechanism, it was possible in theory to leverage the SSL-targeted POODLE attack to indirectly take a bite out of TLS by forcing servers to use the obsolete SSL.

Then in December 2014, security researchers discovered that a POODLE-type attack could be launched directly at TLS without negotiating a downgrade.

Overall, the subject gets complicated very quickly and depending on whom you read, security pros implicate browser companies for choosing compatibility over security in their continuing support of SSL or everyone for implementing the TLS standard incorrectly.

There’s a good discussion of some of these issues in this Stack Exchange Q&A.

What Can Be Done?

The PCI Council says you must remove completely support for SSL 3.0 and TLS 1.0. In short: servers and clients should disable SSL and then preferably transition everything to TLS 1.2.

However, TLS 1.1 can be acceptable if configured properly. The Council points to a NIST publication that tells you how to do this configuration.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
6-prompts-you-don't-want-employees-putting-in-copilot
6 Prompts You Don't Want Employees Putting in Copilot
Discover what simple prompts could expose your company’s sensitive data in Microsoft Copilot.
generative-ai-security:-preparing-for-salesforce-einstein-copilot
Generative AI Security: Preparing for Salesforce Einstein Copilot
See how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.
dspm-buyer's-guide
DSPM Buyer's Guide
Understand the different types of DSPM solutions, avoid common pitfalls, and ask questions to ensure you purchase a data security solution that meets your unique requirements.
speed-data:-preparing-for-the-unknown-in-cybersecurity-with-ian-hill
Speed Data: Preparing for the Unknown in Cybersecurity With Ian Hill
Ian Hill, the Director of Information and Cybersecurity for Upp Telecommunications, offers his take on AI and the future of tech, shares his tricks for a good cyber defense, and explains why the best-laid plans of mice and security professionals often go astray.