What’s New in PCI-DSS v4.0: SSL Cert Monitoring
PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. This article is part of a series of articles under the “What’s New in PCI-DSS v4.0” series where we explore what has changed in PCI-DSS moving to version 4, with version 3.2.1. to be retired as of 31 March 2024. Read the other articles here:
- What’s New in PCI-DSS v4.0: Payment Page Javascript Monitoring
- What’s New in PCI-DSS v4.0: HTTP Header Tamper Detection
- What’s New in PCI-DSS v4.0: Supply Chain Inventory of Software
New clauses and new requirements to existing clauses pertaining to Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks, are:
4.2.1. Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks.
4.2.1.2. Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.
4.2.2. PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.
4.2.1.1. An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained.
There is a continued emphasis on the protection of PANs in the payment process by using and ensuring that strong cryptography and security protocols are used in the transmission process over networks, so that PANs cannot be stolen. Implicitly, this necessitates the requirement to keep an inventory of and monitor the SSL certificates that are used:
- Certificate Expiration Monitoring – Monitoring SSL certificate expiration dates is critical to ensuring that they are renewed before they expire, as expired certificates can cause websites to become inaccessible or insecure. This can be done manually or through the use of automated tools that send alerts when certificates are about to expire.
- Certificate Revocation Status Monitoring – Monitoring the revocation status of SSL certificates can help detect when certificates have been revoked due to security issues, such as a compromised private key. This can be done by checking certificate revocation lists (CRLs) or through the use of online certificate status protocol (OCSP) services.
- Certificate Chain Validation – Validating the certificate chain can help ensure that SSL certificates are issued by a trusted certificate authority (CA) and that they have not been tampered with. This can be done by checking the certificate chain against the list of trusted root certificates on the server or by using third-party tools that perform certificate chain validation.
- Certificate Transparency Monitoring – Certificate transparency logs are public records of SSL certificates issued by CAs. Monitoring these logs can help detect when unauthorized certificates have been issued or when CAs have been compromised. This can be done through the use of third-party tools that monitor certificate transparency logs.
By monitoring SSL certificates, organizations can ensure that their web applications remain secure and reliable and that any SSL-related issues are detected and addressed promptly.
WebOrion will be adding capabilities to check for these new requirements in PCI-DSS version 4. If this is something you are interested in, please contact us at sales@weborion.io