Frequently Asked Question
What are the security considerations for TLS 1.3?
Transport Layer Security (TLS) is a protocol that provides security over networks and is widely used for internet communications and online transactions. TLS version 1.3 introduces protocol changes that may improve security and performance while removing complexities and streamlining the protocol stack. These changes, however, also introduce new considerations for organizations using TLS for security controls.
Organizations implementing TLS 1.3 will need to ensure their implementation is properly configured. Factors to consider when evaluating a TLS implementation include the services and options enabled, the cryptographic algorithms supported, and the strength of the cryptographic keys used.
Organizations should also be aware that the features of TLS 1.3 could affect the functionality for some types of security solutions, such as those that rely on decryption to inspect the packets before they reach the endpoint. For example, organizations using web application firewalls and intrusion detection/prevention systems may find that these systems no longer function as expected, as they may not be able to analyze the encrypted TLS 1.3 connections. This may require changes in the way organizations satisfy certain PCI DSS requirements.
Additionally, devices that do not yet support TLS 1.3 may react differently when presented with TLS 1.3 encrypted traffic. The result could be that traffic is allowed to pass through without inspection, potentially leaving malicious payloads or activities undetected. Other devices could fallback to an earlier or insecure version of the protocol, resulting in data having a lower level of protection than intended. These issues may result in organizations needing to reconfigure or adapt their systems so that they continue to perform as expected.
As with all new technologies, organizations should evaluate and review the possible implications that TLS 1.3 may have on their environment. Organizations are encouraged to contact their security solution vendors to determine any potential impact and whether alternative configurations or other workarounds are recommended.
PCI SSC continues to monitor the evolution of security protocols and their impact on security solutions for the payment industry, and will keep stakeholders informed as updates become available.
Organizations implementing TLS 1.3 will need to ensure their implementation is properly configured. Factors to consider when evaluating a TLS implementation include the services and options enabled, the cryptographic algorithms supported, and the strength of the cryptographic keys used.
Organizations should also be aware that the features of TLS 1.3 could affect the functionality for some types of security solutions, such as those that rely on decryption to inspect the packets before they reach the endpoint. For example, organizations using web application firewalls and intrusion detection/prevention systems may find that these systems no longer function as expected, as they may not be able to analyze the encrypted TLS 1.3 connections. This may require changes in the way organizations satisfy certain PCI DSS requirements.
Additionally, devices that do not yet support TLS 1.3 may react differently when presented with TLS 1.3 encrypted traffic. The result could be that traffic is allowed to pass through without inspection, potentially leaving malicious payloads or activities undetected. Other devices could fallback to an earlier or insecure version of the protocol, resulting in data having a lower level of protection than intended. These issues may result in organizations needing to reconfigure or adapt their systems so that they continue to perform as expected.
As with all new technologies, organizations should evaluate and review the possible implications that TLS 1.3 may have on their environment. Organizations are encouraged to contact their security solution vendors to determine any potential impact and whether alternative configurations or other workarounds are recommended.
PCI SSC continues to monitor the evolution of security protocols and their impact on security solutions for the payment industry, and will keep stakeholders informed as updates become available.
Article Number: 1461
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
-
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
-
How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
-
Does PCI SSC provide a list of PCI DSS-compliant third-party service providers?