Stunnel, an application that provides secure ‘tunneling’ for commonly used, insecure protocols (e.g. SMTP, POP3, etc.) has issued a security bulletin. There is a known flaw that could be utilized to inject arbitrary code and ultimately control where the connection goes. Imagine the emails you’re trying to send to consignors and/or customers being intercepted.
If you think this is being hyper-sensitive, you don’t internets enough.
Any applications installed on your systems must be justified, as per the PCI DSS v2.0:
2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system.
2.2.2.b Identify any enabled insecure services, daemons, or protocols. Verify they are justified and that security features are documented and implemented.
2.2.3.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.
2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
If someone is going to install 3rd party software on your computer, be sure to ask them if they are going to maintain and patch that software on a daily basis. As a business bound by PCI DSS, applications must be patched on at least a monthly basis. For systems storing/processing/connected-to sensitive data, applications should be patched more-frequently – i.e. daily.
Without even considering PCI DSS, it’s common sense. An application installed with good intentions, can easily backfire on you if not properly maintained.