News

PCI Council publishes PA-DSS revision

The new release addresses vulnerabilities in the SSL encryption protocol that can put payment data at risk.

June 1, 2015

The PCI Security Standards Council has published Payment Application Data Security Standard Version 3.1. According to a press release, the new standard takes effect June 1, and aligns with the recent release of PCI Data Security Standard 3.1.

The PA-DSS release serves primarily to address vulnerabilities in the secure sockets layer encryption protocol that can put payment data at risk. Upgrading payment applications and systems to a minimum of TLS 1.1 (the successor protocol to SSL) is the only known way to remediate SSL vulnerabilities that have been recently exploited by browser attacks including Poodle and Beast, the council said.

PA-DSS 3.1 updates requirements 8.2, 11.1 and 12.1-12.2 to remove SSL and early TLS1 as examples of strong cryptography. The council has established a transition period for applications currently undergoing PA-DSS 3.0 validations:

• new application submissions to PA-DSS 3.0 will be accepted until Aug. 31; and
• applications in queue (i.e., submitted with invoice paid by Aug. 31) will have until Nov. 30 to complete the validation process.

The expiry date for payment application listings validated to PA-DSS 3.1 is Oct. 28, 2019. The council encourages organizations to use the following resources in understanding PA- DSS 3.1 and its impact to security programs:

• Summary of Changes from PA-DSS Version 3.0 to 3.1;
• PCI SSC Information Supplement: Migrating from SSL and Early TLS;
• FAQs for Transition from PA-DSS v3.0 to v3.1; and
• Supporting documents, including PA-DSS ROV Reporting Template; Attestation of Validation; and updates to the FAQs Knowledge Base.

PA-DSS 3.1 and supporting resources are available on the PCI SSC website.