Connect with us

Hi, what are you looking for?



PCI DSS 3.1 Sets Deadline for SSL Migration

The PCI Security Standards Council (PCI SSC) has released the latest version of the PCI Data Security Standard (PCI DSS) with an eye towards addressing security concerns related to the Secure Sockets Layer (SSL) protocol.

The PCI Security Standards Council (PCI SSC) has released the latest version of the PCI Data Security Standard (PCI DSS) with an eye towards addressing security concerns related to the Secure Sockets Layer (SSL) protocol.

PCI DSS v3.1 is available here. The update marks the latest critique of SSL security, which has taken a number of hits due to vulnerabilities such as FREAK and POODLE. Under the rules of the revision, SSL and early versions of the Transport Layer Security (TLS) protocol are no longer considered examples of “strong cryptography.” The standard defines early TLS as TLS v1.0 as well as version 1.1 in some cases.

The move by the council follows the National Institute of Standards and Technology (NIST) identifying SSL v3.0 as not being acceptable for data protection purposes due to “inherent weaknesses” within the protocol. As a result, the council decided to update the PCI standard.

According to the new rules, companies have until June 30, 2016, to update to a more recent version of TLS. Prior to this date, existing implementations using SSL and or early TLS must have a formal risk mitigation and migration plan in place. Effective immediately, all new implementations must not use SSL or early TLS.

Point-of-sale (PoS) and point-of-interaction (POI) terminals such as magnetic card readers or chip card readers that enable a consumer to make a purchase that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30.

“We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data,” said PCI SSC General Manager Stephen W. Orfei, in a statement. “The PCI Standards development process allows us to do this based on industry and market input. With PCI DSS 3.1 and supporting guidance we are arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk.”

The fact that the PCI Security Standards Council saw fit to release an out-of-band update underscores the threat recent SSL and TLS vulnerabilities pose to payment security, said Brendan Rizzo, technical director, HP Security Voltage.

“Despite the real and immediate threat, many businesses have annual budgets and resource constraints to contend with which will preclude an immediate response,” said Rizzo. “The fourteen month transition time should address this issue, however companies must begin planning now in order to make sure that they do not overrun this liberal transitionary period. If companies do not start to formalize a plan for appropriate security upgrades right away, any breach that they might incur could result in tough questions being asked and, ultimately, in significant reputational damage – even if it occurs before the PCI Council’s implementation deadline.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights