With all of the new and not-so-new SSL vulnerabilities discovered as of late, it's no wonder that many organizations are shifting away from SSL altogether. In fact, many of the organizations we interact with have either migrated already or plan to migrate this quarter. Why you might ask? Essentially, the SSL POODLE vulnerability almost effectively killed SSL altogether and those organizations under PCI-DSS regulatory compliance felt its full force. As a result, SSL is becoming a virtual four-letter word. And TLS is now the new black.
So what's in store for PCI-DSS and SSL?
According to a recent PCI-DSS QSA newsletter (Jan 30, 2015), some changes will be made with respect to SSL and its recent vulnerabilities. The PCI newsletter had this to say:
"In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and updates to the standards are needed to address this issue."