Background: In April this year (2015), the Payment Card Industry Security Standards Council released an update to their Data Security Standard (Version 3.1). The emphasis of the update is on the use of “strong cryptography” as opposed to a defined security standard (i.e. SSL & TLS 1.0)
In this blog entry, we continue to identify downstream payment gateways that may not be as secure as they claim to be. While payment networks continue to maintain a third party registration program which validates paper certifications (and charge a service fee for the listing), they may inadvertently provide a false sense of security in the real world. Companies are listed as being PCI-DSS compliant but our findings indicate the actual systems may not necessarily be as such.
Case 2: Paydollar/Asia Pay
Test results using an SSL Test Tool by a certified PCI service provider: The acquiring gateway does not support “strong encryption” requirements defined by PCI-DSS v3.0. Uses weak TLS1.1 as well as a commonly-shared 1024-bit Diffie-Hellman group. Essentially, a nation state is able to decrypt all “secured” data. (Click to read full research paper)