Archive for February 18th, 2015

18
Feb
15

Council Surveys QSAs On SSL

By PCIGuru Comments
Categories: PCI SSC, Requirement 12 - Encrypt sensitive traffic over public networks, Requirement 13 - Encrypt all non-console administrative access and Requirement 4 - Encrypt transmission of cardholder data
Tags: , , , , ,

This message popped into my inbox late yesterday.

20150217-PCISSCemailMsg

The survey in question contains the following questions.

20150217-PCISSCSurvey

All of my clients have gotten rid of SSL on their public facing Web sites.

The dilemma we have is that while SSL is dead, it is baked into so many products and appliances.  My clients are therefore stuck with appliances and software products that have SSL hard coded into them.  As a result, they will be dependent on their vendors to convert to TLS.

That said, what is the risk of using SSL internally?  Not a good practice, but truthfully, what is the risk?

In my opinion, using SSL internally for the next 12 to 24 months would not be the end of the world as long as it does not become a significant attack vector.

It will be interesting to hear the results of this survey.

Advertisement

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2015
M T W T F S S
 1
2345678
9101112131415
16171819202122
232425262728