Council Surveys QSAs On SSL

This message popped into my inbox late yesterday.


The survey in question contains the following questions.


All of my clients have gotten rid of SSL on their public facing Web sites.

The dilemma we have is that while SSL is dead, it is baked into so many products and appliances.  My clients are therefore stuck with appliances and software products that have SSL hard coded into them.  As a result, they will be dependent on their vendors to convert to TLS.

That said, what is the risk of using SSL internally?  Not a good practice, but truthfully, what is the risk?

In my opinion, using SSL internally for the next 12 to 24 months would not be the end of the world as long as it does not become a significant attack vector.

It will be interesting to hear the results of this survey.


3 Responses to “Council Surveys QSAs On SSL”

  1. 1 Louis
    February 18, 2015 at 12:26 PM

    The Feb 13th note is bringing good news; PCI Council has been working with industry stakeholders, and some requirements will be future-dated. That is a relief.

    What surprised me the most is the NIST publication banning SSLv3 is dated May 2014, and no one really caught on then. The Council did not come out, at the time, with some future-dated statements. (They should have, if you ask me)

    2014 was not a good year for encryption, and now everyone is in perception mode…

    • February 18, 2015 at 1:27 PM

      It is not the encryption that was bad with SSL and TLS v1.0, it is the implementation that put the keys at risk that is the problem.

      A number of us questioned the NIST 2014 publication, but without an active exploit, it was all theoretical until POODLE appeared.

  2. February 18, 2015 at 8:40 AM

    Geez, Just 24 hours to complete a survey?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


February 2015
« Jan   Mar »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,985 other followers


%d bloggers like this: