Council Surveys QSAs On SSL

This message popped into my inbox late yesterday.


The survey in question contains the following questions.


All of my clients have gotten rid of SSL on their public facing Web sites.

The dilemma we have is that while SSL is dead, it is baked into so many products and appliances.  My clients are therefore stuck with appliances and software products that have SSL hard coded into them.  As a result, they will be dependent on their vendors to convert to TLS.

That said, what is the risk of using SSL internally?  Not a good practice, but truthfully, what is the risk?

In my opinion, using SSL internally for the next 12 to 24 months would not be the end of the world as long as it does not become a significant attack vector.

It will be interesting to hear the results of this survey.


3 Responses to “Council Surveys QSAs On SSL”

  1. 1 Louis
    February 18, 2015 at 12:26 PM

    The Feb 13th note is bringing good news; PCI Council has been working with industry stakeholders, and some requirements will be future-dated. That is a relief.

    What surprised me the most is the NIST publication banning SSLv3 is dated May 2014, and no one really caught on then. The Council did not come out, at the time, with some future-dated statements. (They should have, if you ask me)

    2014 was not a good year for encryption, and now everyone is in perception mode…

    • February 18, 2015 at 1:27 PM

      It is not the encryption that was bad with SSL and TLS v1.0, it is the implementation that put the keys at risk that is the problem.

      A number of us questioned the NIST 2014 publication, but without an active exploit, it was all theoretical until POODLE appeared.

  2. February 18, 2015 at 8:40 AM

    Geez, Just 24 hours to complete a survey?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2015

%d bloggers like this: