Earlier this year, the PCI Security Standards Council published PCI Data Security Standard (PCI DSS) Version 3.1 and supporting guidance. While a majority of the revisions in this updated version are minor updates and clarifications, we highlight a few of the more significant changes in this blog post.
PCI DSS Version 3.1 addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol and early Transport Layer Security (TLS) that can put payment card data at risk. Although Version 3.1 was originally published on April 15, 2015, PCI DSS Version 3.0 was not officially retired until June 30, 2015.
For you non-techies, SSL is a cryptographic protocol designed to provide secure communications over a computer network. The National Institute of Standards and Technology (NIST) has identified weaknesses within the SSL protocol as well as in early versions of TLS and has therefore deemed SSL and early TLS as not being acceptable for data protection. Upgrading to a current version of TLS is the only known way to remediate the vulnerabilities associated with SSL and early TLS. To address these concerns, PCI DSS Version 3.1 removes references to SSL and early TLS in the standard (specifically, in requirements 2.2.3, 2.3 and 4.1) and replaces them with references to TLS.
Under PCI DSS Version 3.1, SSL and early versions of TLS are no longer considered “strong cryptography.” The impacted requirements are as follows:
- SSL and early TLS cannot be used as security controls to protect payment data after June 30, 2016.
- Prior to this date, existing implementations that use SSL and/or early TLS must have a formal risk mitigation and migration plan in place. Guidance on interim risk mitigation approaches, migration recommendations and alternative options for strong cryptographic protocols is outlined in the PCI SSC Information Supplement: Migrating from SSL and Early TLS.
- Effective immediately, new implementations must not use SSL or early TLS.
- Point-of-sale (POS)/Point-of-interaction (POI) terminals (devices such as magnetic card readers or chip card readers that enable a consumer to make a purchase) that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30, 2016.
The revisions were effective as of the date that PCI DSS Version 3.1 was published (April 15, 2015), but, as noted above, the affected requirements are given a sunset date to allow time for organizations to implement these revisions.
It is also worth noting that PCI DSS requires an entity to maintain written agreements that include an acknowledgement that the service providers with which the entity contracts are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. Therefore, entities who are directly subject to PCI DSS as well as their service providers should all take note of the revised requirements in the updated version.
A comprehensive summary of the changes from PCI DSS Version 3.0 to 3.1 is available at the PCI Security Standards Council’s website. Additionally, the PCI Security Standards Council Information Supplement titled “Migrating from SSL and Early TLS,” discussed above, is available here.