Are you up to date with the new PCI DSS version 3.1?
Maybe you thought the race was over. The finish line was in sight. Compliance was in your grasp. But the race goes on. The rules have changed. The finish line has moved ahead of you.
The PCI Security Standards Council released an unscheduled update to its requirements on April 15, 2015. Effective immediately, the new guidelines forbid the use of SSL and TLS 1.0 encryption protocols to protect cardholder data.
The council made these changes in response to several vulnerability disclosures, including the POODLE exploit, which can allow a man-in-the-middle attacker to decrypt messages on SSL 3.0.
Since POODLE cannot be fixed, the PCI Council branded SSL and TLS 1.0 as “vulnerable protocols” in the new version of its security standard.
But that’s not all that’s changed. Below we’ll provide an overview of the changes in PCI DSS 3.1 and what you can do about them.
PCI DSS 3.1 is almost identical to its predecessor except for the following. You will have to meet these requirements to maintain PCI compliance:
Related – PCI DSS for IT Providers: See how the rules apply to your business
Minor terminology adjustments were also made to help clarify some PCI DSS requirements. For example, in the section on applicability information, “financial institutions” was changed to “acquirers, issuers.”
A full summary of the changes can be found on the PCI Council website.
The three requirements most affected by these changes:
If your business currently uses a vulnerable protocol to protect cardholder data, then you must submit a risk mitigation and migration plan as part of the PCI DSS assessment process.
The document should outline your company’s plan to transition away from the vulnerable protocols. It should also list the steps you will take to reduce the risks surrounding SSL and early versions of TLS until the migration is complete.
According to the PCI Council, a sound risk a mitigation and migration plan should include descriptions of:
The migration must be completed no later than June 30th, 2016.
You can learn more in the PCI Council’s document on migrating from SSL and early TLS.
Related – PCI DSS for IT Providers: See how the rules apply to your business
Simply put -- any POS/POI implementations that rely on SSL or early TSL need to be upgraded or reconfigured to support only secure protocols.
Additionally, all implementations need to be configured so they cannot fallback to the vulnerable protocols.
If you’re currently using a POI/POS implementation that relies on any vulnerable protocols, the PCI Council recommends immediately upgrading to use TLS v1.1 at a minimum. However, it strongly suggest new implementations to use TSL v1.2.
If you’re not sure whether or not you’re using an implementation that relies on SSL or early TLS, the PCI Council recommends contacting your software and hardware vendors.
Your vendors will be able to tell whether or not your system is up to date with the new standards, and will be able to provide you with the necessary steps for reconfiguration or upgrading to secure implementations.
Additionally, any system that uses Windows XP or versions of Internet Explorer older than IE 6.0 is a red flag for vulnerable protocol.
The vulnerabilities of SSL and TSL v1.0 pose a serious threat to your business and your customers’ sensitive information, which is why it’s in your best interest to upgrade to secure protocol as soon as possible.
PCI DSS v3.1 Summary of Changes
Migrating from SSL and Early TLS
PCI Compliance: 80% of merchants fail to maintain it
PCI DSS Security: Banks don’t want you to comply
PCI DSS: Easier and cheaper compliance with SAQs
PCI DSS for IT Providers: See how the rules apply to your business