By Natasja Bolton, Senior Acquirer Support QSA
Back in June, Sysnet reported on SHA-1 based certificates and why support was ceasing. In that article we also examined the potential impact on ecommerce businesses. Recently, the PCI Security Standards Council (PCI SSC) has released their own guidance on SHA-1 in the form of a Frequently Asked Questions (FAQ) document that discusses the impacts that continued use of SHA-1 as a security control has on the PCI Standards. The PCI SSC FAQ addresses three areas:
- The impact of using SHA-1 for digital signatures on PIN Transaction Security, Point of Interaction (PTS POI) devices;
- Whether the use of SHA-1 meets the PCI DSS and Payment Application Data Security Standard (PA-DSS) intent for “strong cryptography”;
- The implications of the presence of SHA-1 on Approved Scanning Vendors (ASV) scan results.
While our article focused on the ecommerce impacts, the PCI SSC has highlighted that there are other instances that could lead to certificate errors or a breakdown in secure communications, for example, where digital certificates are used by merchants’ payment terminals for authenticating the payment gateway/processor. The PCI SSC encourages merchants to contact their acquirers or terminal provider to make sure their payment terminals are updated.
Whether merchant payment terminals are impacted or not, depends on the certificate authority/chain that they rely on. If payment terminals are using public certificates, provided by public Certificate Authorities (CA) and those CAs stop support for SHA-1 signed certificates, there may be an impact. Those effected would be merchants using payment terminals that cannot support anything other than SHA-1 signed certificates. In particular, merchants continuing to use PCI PTS v1 or v2 approved terminals may be affected. As only from PCI POI PTS version 3 has use of SHA-1 for all digital signatures on PTS POI devices been prohibited. However, as the PCI SSC explains, there are a limited number of specific exceptions that allow for the continued use of SHA-1 by PTS POI devices.
SHA-1 and strong cryptography
The same is true when it comes to the PCI SSC’s guidance on whether the use of SHA-1 meets the intent of “strong cryptography”. PCI DSS requirement 4.1 states; ‘Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks’. This means that in general, use of SHA-1 is prohibited for digital signature generation, as expressed in the National Institute of Standards and Technology (NIST) Special Publication 800-131A. However, there are exceptions depending on how SHA-1 is used. The PCI SSC itself has not made a blanket statement prohibiting SHA-1; instead they refer and defer to industry standards and best practices. The NIST Special Publication allows for exceptions in the use of SHA-1 digital signatures by NIST protocol-specific guidance as well as for legacy-use of SHA-1 for digital signature verification (see the specific NIST special publications here). For example, NIST SP 800-52 Guidelines for TLS Implementations notes some specific cases where use of SHA-1 is still found to be acceptable.
As a result, businesses will need to refer to the NIST guidance to determine the acceptability of their specific usages of SHA-1 and hence its impact on their PCI DSS compliance. Many of our clients are also service providers, providing virtual terminals, Point of Sale (POS) solutions and ecommerce payment gateways. They will also need to make sure that their services support the industry accepted strong cryptographic protocols and hashing algorithms. So that businesses using their services are themselves able to assess compliance with the PCI DSS requirements.
The PCI Council’s FAQ also notes that uses of SHA-1 in certain cases may result in ASV Scan failures. The reality is that businesses will need to migrate away from using SHA-1 signed digital certificates or risk failing their quarterly ASV scans after 1st January 2017. If a business cannot yet move away from using SHA-1 signed certificates they will need to go through a formal process with their ASV to ensure that the affected system is not susceptible to the particular vulnerabilities or that compensating controls are in place to reduce or eliminate the risk of the SHA-1 vulnerability.
Sysnet are currently assisting clients with their SHA-2 customer, vendor and partner notification and awareness programs through Merchant Contact Services (MCS). Talk to your Business Relationship Manager today or email firstname.lastname@example.org to find out how MCS can help you meet your business objectives.
If you are a merchant that requires technical or PCI DSS help, please click here