Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



PCI DSS 3.1 Sets Deadline for SSL Migration

The PCI Security Standards Council (PCI SSC) has released the latest version of the PCI Data Security Standard (PCI DSS) with an eye towards addressing security concerns related to the Secure Sockets Layer (SSL) protocol.

The PCI Security Standards Council (PCI SSC) has released the latest version of the PCI Data Security Standard (PCI DSS) with an eye towards addressing security concerns related to the Secure Sockets Layer (SSL) protocol.

PCI DSS v3.1 is available here. The update marks the latest critique of SSL security, which has taken a number of hits due to vulnerabilities such as FREAK and POODLE. Under the rules of the revision, SSL and early versions of the Transport Layer Security (TLS) protocol are no longer considered examples of “strong cryptography.” The standard defines early TLS as TLS v1.0 as well as version 1.1 in some cases.

The move by the council follows the National Institute of Standards and Technology (NIST) identifying SSL v3.0 as not being acceptable for data protection purposes due to “inherent weaknesses” within the protocol. As a result, the council decided to update the PCI standard.

According to the new rules, companies have until June 30, 2016, to update to a more recent version of TLS. Prior to this date, existing implementations using SSL and or early TLS must have a formal risk mitigation and migration plan in place. Effective immediately, all new implementations must not use SSL or early TLS.

Point-of-sale (PoS) and point-of-interaction (POI) terminals such as magnetic card readers or chip card readers that enable a consumer to make a purchase that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30.

“We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data,” said PCI SSC General Manager Stephen W. Orfei, in a statement. “The PCI Standards development process allows us to do this based on industry and market input. With PCI DSS 3.1 and supporting guidance we are arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk.”

The fact that the PCI Security Standards Council saw fit to release an out-of-band update underscores the threat recent SSL and TLS vulnerabilities pose to payment security, said Brendan Rizzo, technical director, HP Security Voltage.

“Despite the real and immediate threat, many businesses have annual budgets and resource constraints to contend with which will preclude an immediate response,” said Rizzo. “The fourteen month transition time should address this issue, however companies must begin planning now in order to make sure that they do not overrun this liberal transitionary period. If companies do not start to formalize a plan for appropriate security upgrades right away, any breach that they might incur could result in tough questions being asked and, ultimately, in significant reputational damage – even if it occurs before the PCI Council’s implementation deadline.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet