August 13, 2020

Volume X, Number 226

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherent weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.

Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.

As a result, every company should consider taking the following immediate action:

  1. Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);

  2. If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;

  3. Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;

  4. If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and

  5.  Ensure proper testing prior to rollout of any new protocol.

© 2020 McDermott Will & EmeryNational Law Review, Volume V, Number 48

TRENDING LEGAL ANALYSIS


About this Author

Partner

Sarah Hogan is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office. Sarah advises health care, biotechnology and other technology companies in all stages of development on commercialization of their technology and intellectual property assets, including counseling with respect to collaborations and strategic alliances, technology development and acquisition, outsourcing, licensing and other corporate partnering transactions. Sarah’s clients include start-up companies seeking funding, venture capital and private equity...

1 617 535 3911