Taking Aim at the Credit Card Security Target
by Galen Carpenter, Senior Systems Software Engineer
Trying to keep up with the latest online security recommendations can be a headache when your software has to handle credit card payments. It seems like as soon as you get everything updated and in compliance, there’s a new threat, followed by new security requirements—it’s like trying to hit a moving target!
Before we explain how Synergy/DE can help you hit that target, a little background information is in order. The credit card industry adheres to standards, referred to as the Payment Card Industry Data Security Standard (PCI-DSS), issued by the PCI Security Standards Council, which is administered by the major credit card brands. The PCI‑DSS applies to companies of any size that accept, process, store, or transmit credit card data. Its goal is to maintain a secure environment for that data.
In the last few years, we have seen numerous attacks, such as POODLE, DROWN, and BEAST, on the SSL and TLS protocols. (These protocols contain the algorithms used for secure transmission of data.) As a result, in April 2015, the PCI Security Standards Council removed SSL and TLS 1.0 from their security standard and stated that they could not be used after June 30, 2016. PCI-DSS 3.1 states that TLS 1.1 or greater must be offered and used (though TLS 1.2 is recommended).
In response, Synergex added an SCL (security compliance level) option to rsynd and the OPEN statement in version 10.3.1b in August 2015. This option is used to set the desired protocols. The SCL option has three values: 0, 1, 2. An SCL value of 0 specifies that Synergy/DE’s current default value—whatever it may be—will be used. An SCL value of 1 allows the use of the TLS 1.0, TLS 1.1, and TLS 1.2 protocols, and an SCL value of 2 is the most stringent, allowing only TLS 1.1 and TLS 1.2. The SCL default value is 1 in versions 10.3.1b through 10.3.3e, and as of 10.3.1b, the SSL3 protocol is no longer supported.
In December 2015, the PCI Security Standards Council revised the date for dropping SSL and TLS 1.0 protocol suites from June 30, 2016 to June 30, 2018 to give companies additional time to migrate to more secure protocols. That additional time is rapidly disappearing. PCI-DSS 3.2, issued in April 2016, states that existing implementations using SSL or TLS 1.0 require a risk mitigation and migration plan. With the PCI standards recommending a minimum of TLS 1.1 and preferring TLS 1.2, unless you have older clients that require TLS 1.0, your Synergy applications should specify an SCL value of 2. In the next major release of Synergy/DE, SCL=2 will become the default.
Looking into the future, the TLS 1.3 protocol was approved in March 2018. TLS 1.3 is a major rewrite of the TLS specification, which is expected to greatly increase security. There are new cipher suites that will work only with TLS 1.3 and old cipher suites that will no longer work have been removed. Additionally, forward secrecy (PFS) is always used with TLS 1.3, but was optional with TLS 1.2. This makes replay attacks and out-of-band decryption nearly impossible. OpenSSL continues to enhance its security, and when version 1.1.1 is released, it will have support for TLS 1.3.
Currently, Synergy/DE 10.3.3 and its patches support only the 1.0 branch of OpenSSL, which does not have the TLS 1.3 protocol. In the next major release, we will be supporting both the 1.0 and 1.1 branches and will automatically use the highest version of OpenSSL that is installed. Unfortunately, these two OpenSSL branches are not binary compatible. This means that there will be two httpslib and synssllib files distributed.
Note that end of life for OpenSSL 1.0.2 will be December 31, 2019. By that time, everyone should have migrated their systems to OpenSSL 1.1. In the meantime, it is important to keep up with the latest OpenSSL security releases because problems are continually being fixed. It’s hard to protect yourself from the unknown, but not updating OpenSSL regularly leaves your system vulnerable to the known problems that have already been fixed. Remember, security is a moving target.