The Payment Card Industry Data Security Standard (PCI DSS) version 3.1 was released today outlining a number of important changes.

Highlights from PCI DSS 3.1 include but are not limited to:

  • Effective June 30, 2016, SSL and early versions of TLS (1.0 and in some cases 1.1) can no longer be used as they are susceptible to exploitation.
  • Effective immediately, new implementations must not use SSL or early versions of TLS.
  • Point-of-Sale (POS)/Point-of-Interaction (POI) terminals that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30, 2016.
  • Several requirements throughout the PCI DSS were updated with additional clarifications and guidance to ensure the desired intent of requirements are understood.

The Council also released a Summary of Changes Document (agreement required to view) and Information Supplement with more specific information on SSL. Be sure to speak with your QSA to find out how PCI DSS version 3.1 affects your organization.

PCI Compliance Payment

Author: Viviana Wesley, PCI QSA

 

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

 

INFORMATION SECURITY PRIMERS

Managing IoT Risk: A Primer

Primer on Post-Quantum Cryptography (PQC)

Primer on Cloud Security

A Primer for AI Legislation and Litigation: Trends and Resources

A Primer to Frictionless Authentication

A Primer to Russian Intelligence “Snake” Malware

A Primer to Security Access Service Edge (SASE)

A Primer to Digital Risk Protection Services (DRPS)

A Primer to Containerization

A Primer to Cloud Access Security Brokers (CASB)

A Primer to Zero Trust Security

A Primer to Deception Technology

Managing AI Risks in Organizational Adoption and Usage

What are DeepFakes?