SHA-1 – the PCI Council’s views revealed

SHA-1 - the PCI Council’s views revealed
0 Shares

By Natasja Bolton, Senior Acquirer Support QSA

 

Back in June, Sysnet reported on SHA-1 based certificates and why support was ceasing. In that article we also examined the potential impact on ecommerce businesses. Recently, the PCI Security Standards Council (PCI SSC) has released their own guidance on SHA-1 in the form of a Frequently Asked Questions (FAQ) document that discusses the impacts that continued use of SHA-1 as a security control has on the PCI Standards. The PCI SSC FAQ addresses three areas:

 

  • The impact of using SHA-1 for digital signatures on PIN Transaction Security, Point of Interaction (PTS POI) devices;
  • Whether the use of SHA-1 meets the PCI DSS and Payment Application Data Security Standard (PA-DSS) intent for “strong cryptography”;
  • The implications of the presence of SHA-1 on Approved Scanning Vendors (ASV) scan results.

 

While our article focused on the ecommerce impacts, the PCI SSC has highlighted that there are other instances that could lead to certificate errors or a breakdown in secure communications, for example, where digital certificates are used by merchants’ payment terminals for authenticating the payment gateway/processor.  The PCI SSC encourages merchants to contact their acquirers or terminal provider to make sure their payment terminals are updated.

 

The impact

Whether merchant payment terminals are impacted or not, depends on the certificate authority/chain that they rely on. If payment terminals are using public certificates, provided by public Certificate Authorities (CA) and those CAs stop support for SHA-1 signed certificates, there may be an impact. Those effected would be merchants using payment terminals that cannot support anything other than SHA-1 signed certificates.  In particular, merchants continuing to use PCI PTS v1 or v2 approved terminals may be affected. As only from PCI POI PTS version 3 has use of SHA-1 for all digital signatures on PTS POI devices been prohibited. However, as the PCI SSC explains, there are a limited number of specific exceptions that allow for the continued use of SHA-1 by PTS POI devices.

 

Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below

LEARN MORE

SHA-1 and strong cryptography

The same is true when it comes to the PCI SSC’s guidance on whether the use of SHA-1 meets the intent of “strong cryptography”.  PCI DSS requirement 4.1 states; ‘Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks’.  This means that in general, use of SHA-1 is prohibited for digital signature generation, as expressed in the National Institute of Standards and Technology (NIST) Special Publication 800-131A. However, there are exceptions depending on how SHA-1 is used. The PCI SSC itself has not made a blanket statement prohibiting SHA-1; instead they refer and defer to industry standards and best practices.  The NIST Special Publication allows for exceptions in the use of SHA-1 digital signatures by NIST protocol-specific guidance as well as for legacy-use of SHA-1 for digital signature verification (see the specific NIST special publications here). For example, NIST SP 800-52 Guidelines for TLS Implementations notes some specific cases where use of SHA-1 is still found to be acceptable.

 

As a result, businesses will need to refer to the NIST guidance to determine the acceptability of their specific usages of SHA-1 and hence its impact on their PCI DSS compliance.  Many of our clients are also service providers, providing virtual terminals, Point of Sale (POS) solutions and ecommerce payment gateways. They will also need to make sure that their services support the industry accepted strong cryptographic protocols and hashing algorithms. So that businesses using their services are themselves able to assess compliance with the PCI DSS requirements.

 

Lastly…

The PCI Council’s FAQ also notes that uses of SHA-1 in certain cases may result in ASV Scan failures.  The reality is that businesses will need to migrate away from using SHA-1 signed digital certificates or risk failing their quarterly ASV scans after 1st January 2017.  If a business cannot yet move away from using SHA-1 signed certificates they will need to go through a formal process with their ASV to ensure that the affected system is not susceptible to the particular vulnerabilities or that compensating controls are in place to reduce or eliminate the risk of the SHA-1 vulnerability.

 

Sysnet are currently assisting clients with their SHA-2 customer, vendor and partner notification and awareness programs through Merchant Contact Services (MCS). Talk to your Business Relationship Manager today or email sales@sysnetgs.com to find out how MCS can help you meet your business objectives.

 

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at marketing@sysnetgs.com We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms