On April 15, 2015, the Payment Card Industry Security Standards Council (PCI-SSC) updated the PCI Data Security Standard (PCI-DSS) from version 3.0 to version 3.1. The new version is effective immediately. PCI DSS Version 3.0 will be retired on June 30, 2015. A summary of the changes, along with the updated standard, can be found on the PCI-SSC website.
PCI DSS 3.1 updates requirements to remove SSL (a cryptographic protocol designed to provide secure communications over a computer network) and early Transport Layer Security (TLS) as examples of strong cryptography. SSL and early TLS cannot be used as security controls to protect payment data after June 30 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal risk mitigation and migration plan in place. Effective immediately, new implementations must not use SSL or early TLS. Point-of-sale (POS)/Point-of-interaction (POI) terminals (devices such as magnetic card readers or chip card readers that enable a consumer to make a purchase) that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30 2016.
The updates to PCI DSS were made after the National Institute of Standards and Technology (NIST) identified SSL as not being acceptable for the protection of data due to inherent weaknesses within the protocol. Upgrading to a current version of TLS will remediate these vulnerabilities, which have been exploited by browser attacks such as POODLE and BEAST.
“With PCI DSS 3.1 and supporting guidance we are arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk,” said PCI SSC General Manager Stephen W. Orfei. Additional updates to the standard include additional guidance in introductory sections and guidance column and updates to specific testing procedures to align testing objectives with requirements.