The Payment Card Industry Security Standards Council published version 3.1 of its Payment Card Industry Data Security Standard (PCI DSS) on April 15. PCI DSS places mandatory minimum standards on all merchants, service providers, and companies that process, store, or transmit cardholder and account data from the major payment card companies. In the first change to the PCI DSS since 2013, the new requirements remove Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols from the list of approved “strong” encryption protocols for transfers of cardholder and account data. The latest version of the PCI DSS warns, “entities using SSL and early TLS must work towards upgrading to a strong cryptographic protocol as soon as possible.” The new PCI DSS recommends TLS, the successor to SSL and early TLS, for secure network communications of cardholder and account data.
To maintain PCI DSS compliance, companies may not develop new systems for handling cardholder or account data that use the SSL or early TLS protocols, with some exceptions for point-of-sale terminals (e.g., chip card readers). Although version 3.1 of the PCI DSS is effective immediately, companies with detailed risk-mitigation and migration plans in place may continue using preexisting systems that rely on SSL and early TLS protocols until June 30, 2016. According to the PCI DSS, mitigation and migration plans should include the following:
- A description of usage, including what data are being transmitted, types and number of systems that use and/or support SSL/early TLS, and the type of environment
- Risk-assessment results and in-place risk-reduction controls
- A description of processes to monitor for new vulnerabilities associated with SSL/early TL
- A description of change-control processes implemented to ensure that SSL/early TLS is not implemented into new environments
- An overview of the migration project plan, including target migration completion date no later than June 30, 2016.
The council also published additional guidance on migration from SSL and early TLS.