Real-Time Analytics for PCI Compliance

When the PCI Security Standards Council bans SSL/early TLS in June 2018, you’ll need real-time network analytics to maintain compliance. Here’s why.

On June 30, any business that handles credit card data will be required by the Payment Card Information (PCI) Security Standards Council to eliminate the weak cryptographic protocols SSL and early TLS from their networks. These protocols have been considered insecure for a long time, but, as of July, PCI regulations will consider their very presence a violation. Companies that continue to use SSL/early TLS may be penalized between $5,000 and $100,000 per month for ongoing violations.

Why Point-In-Time Compliance Audits Are No Longer Enough

There are plenty of agencies out there that can audit corporate networks and confirm the presence or absence of SSL/early TLS and other weak cryptographic protocols. This is a standard mechanism for businesses to assure they stay compliant, but it has two significant weaknesses:

  1. It only covers a single point in time.
  2. Audits tend to be highly invasive, costing time and money and requiring the organization to provide system access to the auditing agency, which is in itself a risk.

The growth and dynamism of modern networks means that new devices connect and new services come online all the time. Rarely does a corporate IT or security team have full control or visibility into everything that is running or connected on their network. There are many scenarios where a new device or service could come online and start using weak cryptography without the knowledge of the security or compliance team:

  • A SaaS provider or on-premises appliance provider updates their codebase/firmware. They can update their practices and protocols without notifying you, and they may by choice or accident enable weak cryptographic protocols that break your compliance.
  • A developer spins up a temporary environment for a small-scale experiment and uses default cryptographic settings or turns off cryptography to speed performance, believing that encryption doesn’t matter for this small internal project.
  • A virtualized service sees a spike in requests and automatically scales up by spinning up new VMs based on a template that accidentally, or by default, has weak cryptography enabled.

Even if a business has PCI compliance audits every quarter, any of the above situations could rapidly snowball and result in violations between audits.

How To Monitor Your PCI Compliance In Real Time

Real-time network data analytics provides the simplest path to continuous PCI compliance.

The most effective way is to use an out-of-band appliance to monitor network traffic in real time, this allows the discovery and classification of any communications right down to the protocol level. This means that if SSL or early TLS (and a host of other weak ciphersuites) show up on your network, using a comprehensive source of truth such as the wire can warn you within moments.

Additionally, using a network analysis tool can tell you exactly how many sessions have been encrypted using weak cryptography, and which IP addresses were using the weak ciphers. This allows businesses to quickly isolate and correct the issue, and report, if necessary, which systems may have been in violation of PCI. This could be relevant if weak cryptography was present, but didn’t touch any systems that were handling payment card information.

ExtraHop dashboard showing the number of SSLv3/early TLS sessions in violation of policy, number of weak ciphers, and number and status of certificates.

What To Do Before the June 30 Deadline

Action is imperative, the SSL and early TLS standards are now riddled with vulnerabilities and put any organization at high risk of being breached. There are many examples of how hackers have exploited the SSL and early TLS weaknesses. There is no safe way to use these protocols.

We advise all organizations to update to secure alternatives as early as possible to avoid risk. Anything that defaults to a SSL or early TLS protocol should also be disabled.

For some companies, point-in-time audits may be the only viable solution, but work with threat analytics providers to determine if they have any way to give you any real-time, continuous solutions for assuring PCI compliance.

Read more about the June 30 deadline on the official PCI Security Standards Council’s website.

Matt Cauthorn

Avatar photo

Matt Cauthorn

Matt Cauthorn is VP of Security for ExtraHop where he is responsible for all security implementations and leads a team of technical security engineers who work directly with customers and prospects. A passionate technologist and evangelist, Matt is often on site with customers working to solve the complex and mission-critical business problems that Fortune 1,000 and global 2,000 companies often face. After years spent helping customers tap into the value offered by network-based analytics, Matt has been able to bring fresh thinking to security threat detection. Matt's collaborated with companies across various industries including banking, healthcare, energy, and retail. Prior to ExtraHop, Matt was a Sales Engineering Manager at F5 and before that he started his career in the trenches as a practitioner where he oversaw application hosting, infrastructure, and security for five international data centers. Matt holds an MBA from Georgia State University and a Bachelor of Science degree from the University of Florida. Matt's a security thought leader and blogger, frequently speaking at industry events, has been featured on podcasts, in webinars, and is commonly quoted in industry coverage.

matt-cauthorn has 1 posts and counting.See all posts by matt-cauthorn