News

PCI SSC publishes revised data security standard

PCI DSS 3.1 and supporting guidance will help organizations address vulnerabilities within the SSL protocol that put payment data at risk, the council says.

April 16, 2015

The PCI Security Standards Council has published the PCI Data Security Standard 3.1 and supporting guidance. In addition to minor updates and clarifications, the update addresses serious vulnerabilities within the secure sockets layer encryption protocol, according to a press release from the council.

The updated standard is effective immediately; PCI DSS version 3.0 will be retired on June 30, the release said.

The council announced in February that it would upgrade the 3.0 standard, following an assessment by the National Institute of Standards and Technology that inherent weaknesses in SSL made it unacceptable for the protection of data. The updated standard relies upon transport layer security, the successor protocol to SSL.

Among changes in the updated standard:

• SSL and early TLS cannot be used as security controls to protect payment data after June 30, 2016;
• prior to this date, existing implementations that use SSL or early TLS must have a formal risk mitigation and migration plan in place;
• effective immediately, new implementations must not use SSL or early TLS; and
• terminals that can be verified as not susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after June 30, 2016.

"With PCI DSS 3.1 and supporting guidance we are arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk," said PCI SSC General Manager Stephen W. Orfei.

PCI DSS 3.1 and supporting resources are available on the PCI SSC website. Supporting this revision, PA-DSS Version 3.1 will also be published shortly, the release said.