Author: Viviana Wesley, PCI QSA
The Payment Card Industry Data Security Standard (PCI DSS) version 3.1 was released today outlining a number of important changes.
Highlights from PCI DSS 3.1 include but are not limited to:
- Effective June 30, 2016, SSL and early versions of TLS (1.0 and in some cases 1.1) can no longer be used as they are susceptible to exploitation.
- Effective immediately, new implementations must not use SSL or early versions of TLS.
- Point-of-Sale (POS)/Point-of-Interaction (POI) terminals that can be verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30, 2016.
- Several requirements throughout the PCI DSS were updated with additional clarifications and guidance to ensure the desired intent of requirements are understood.
The Council also released a Summary of Changes Document (agreement required to view) and Information Supplement with more specific information on SSL. Be sure to speak with your QSA to find out how PCI DSS version 3.1 affects your organization.