The new PCI-DSS standard (v3.1) is effective immediately, but v. 3.0 will be retired at the end of June 2015.

The big news is that PCI Security Standards Council has declared that SSL and TLS 1.0 and some versions of TLS 1.1 are no longer considered strong cryptography and must be phased out by June 2016. Key implications include:

  • If PCI-compliant systems will use these vulnerable versions of SSL/TLS during the transition period, they will need to have a formal risk mitigation strategy and risk mitigation plan in place
  • New implementations are not permitted to use the vulnerable versions of SSL/TLS, effectively immediately
  • The vulnerable versions of SSL/TLS are permitted to be used in Point of Sale (POS) and Point of Interaction (POI) terminals as long as it can be verified that they are not vulnerable to all known SSL exploits

The last point is quite interesting from an embedded systems perspective.  Aside from the POS/POI terminals, there are millions of embedded systems devices that use SSL.  Users and manufacturers of these devices need to be concerned about upgrading (if even possible).  Additionally, verifying that systems are not vulnerable to all known SSL exploits is tenuous. Today, a system might not be vulnerable, but tomorrow, a new exploit could be published.  At that point, those systems are now out of compliance with PCI.  It will be quite a challenge to bring them into compliance.

The impact is quite significant, not only for organizations that must maintain PCI compliance, but also for most other organizations using SSL and TLS for secure communications.  The PCI standard helps drive what is considered “current standards of due care” for security, so other organizations will, over time, start implementing this guidance.

Getting secure communications right is critical for compliance and good security.  TEAM Mentor has great resources and guidance to help with that task; click here to learn more.