PCI DSS Compliance is Essential for the Secure Handling of Credit Card Data and Customer Information
Maintaining payment security is essential for every business that processes credit card transactions or holds credit card data. The Payment Card Industry (PCI) Data Security Standards (DSS) are global standards, most recently updated in May 2018. The requirements of this global association are both highly detailed and very clear — it is the responsibility of every organization to ensure compliance in order to protect customer data.
The New Java Security and Support Challenge
Many organizations throughout the payments industry have deployed systems that are at least partially developed using the Java programming language. Java has been a critical technology for web-based systems and card processing platforms since the late 1990s, and is likely to remain an essential language for many years to come.
However, as of the launch of Java 9 in September 2017, Oracle has announced a new release and support cadence for Java. The new Java roadmap features releases every 6 months, with long-term support releases made available every three years. Java 9, 10 12, 13, 14, 15 and 16 will be supported for 6 months, then support will end with each release.
Worse, at least for many organizations, are the changes in Java’s long-term support (LTS) releases.
Publicly available security updates and bugfixes for Java 8 will end in January 2019.
Publicly available updates for Java 11 will only be available until January of 2019 as well.
Java 9 (Oracle support ended in March of 2018) and Java 10 (Oracle support ends in September, 2018) and both feature releases and will never be appropriate for production use.
If your operation relied upon free, publicly-available security updates from Oracle (part of their quarterly Critical Patch Update cycle, which has been part of Java for over 20 years) — that access is ending unless you either sign a contract with Oracle or explore other alternatives.
The Countdown to a New PCI Compliance Issue
Just as with the impending June 30, 2018 PCI deadline for all processors of credit card data to move away from SSL, if your software is not updated within 30 days (see page 55, below) of the release of security patches as part of a support contract, your compliance with the PCI DSS is in jeopardy. As of January 2019, you will no longer have access to free public security updates from Oracle.
What are your organization’s plans for Java security updates after December 31, 2018?
PCI DSS Page 55, Revised May 17, 2018 — Emphasis added
Of course, you are absolutely welcome to ink a Java Support contract with Oracle (the quoted price may be staggering) — or you may wish to explore alternatives.
Maintaining PCI Certification — How Zulu Enterprise Can Help
Zulu Enterprise is Azul Systems’ branding of our builds of OpenJDK. We offer fully certified, tested, and supported releases of Java SE 6-8 today, and will support Java 11 when it is released in September.
Azul provides timely security updates, stability patches, and bugfixes to Zulu Enterprise to our commercial customers with plenty of time to meet the PCI DSS standard, which requires security updates to be applied and implemented within 30 days of release under a vendor’s support contract.
Azul takes the added step of back-porting patches from the most recent builds of Java to prior releases, ensuring that security issues, once publicized, cannot be effectively ‘weaponized.’
If your operation requires compliance with the PCI DSS standard, and you are interested in a proven alternative to Oracle’s proprietary Java solutions, please contact us. We’ll show you how Zulu Enterprise can ensure that you have a proven, cost-effective ability to keep your Java environments in compliance.