On April 15, 2015, The PCI Security Standards Council published the PCI DSS Version 3.1. Within the update, there were 3 types of changes that were noted. They included:
- Clarifications: Clarifies the intents of the requirements.
- Additional Guidance: Explanations with the purpose of providing further information on the requirements.
- Evolving Requirement: Changes to the requirements to keep up with emerging threats and updates within the market.
The revision from 3.0 to 3.1 included minor updates including clarifications and additional guidance that should not have a significant impact on the organization’s PCI DSS compliance. There is one evolving requirement that is more significant to the level of effort of compliance for PCI DSS. It included:
- Removing Secure Sockets Layer (SSL) as a secure cryptography technology.
SSL and early Transport Layer Security (TLS) are not considered strong cryptography, due to inherent vulnerabilities within protocol that have been discovered. All versions of SSL and early versions of TLS are now considered weak forms of encryption. The only known way to remediate the vulnerability is to upgrade to a current, secure version of TLS.
The revisions are effective immediately, but impacted requirements will have a sunset date that allows organizations with affected systems to remediate vulnerabilities. The sunset date will be June 30, 2016. After this date, SSL and early versions of TLS will be considered ‘Non-compliant’. Previous to this date, organizations must include this vulnerability within their risk assessment plan including risk mitigation and migration considerations related to it.
The risk mitigation and migration plan should be a document prepared by the organization that details plans for migrating to a more secure protocol. It should also include controls in place to reduce the risk associated with SSL and early TLS until the migration is complete. This plan will need to be provided to the assessor. Some of the considerations that should be included in the plan include:
- A description of how vulnerable protocols are used
- Risk assessment results and controls in place to reduce risk
- A description of processes that are implemented to monitor for new vulnerabilities associated with the SSL and early TLS protocols
- A description of the change control process that is in place to ensure vulnerable protocols are not implemented into new environments.
- A migration plan that details the target completion date (no later than June 30, 2016)
For a full detailed list of all the changes to the PCI DSS from version 3 to Version 3.1 and supplemental guidance regarding the migration from SSL and early TLS, see the PCI Security Council documents library here.
If you have any questions regarding PCI DSS 3.1, please call 888-702-5446 or email us at [email protected].