Update: The PCI SSC published version 3.2.1 of the PCI DSS on May 17, 2018. More information on the revised standard can be found on the PCI SSC website.
Overview of the PCI DSS v3.2.1 Update
The PCI SSC has announced that it will publish an update to PCI DSS version 3.2 in May 2018. The new version, PCI DSS v3.2.1, will include some minor revisions and necessary updates to the standard. While the scheduled update will not include any new requirements or significant changes, it will clarify a requirement regarding Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) encryption and update deadlines that have passed since the release of v3.2.
Some of the minor updates in PCI DSS v3.2.1 include:
- Removing references to the passed effective date of February 1, 2018 for the applicable requirements of v3.2; and
- Updating applicable requirements and Appendix A2 to reflect that only POS POI (point of sale point of interaction) terminals and their service provider connection points may continue using SSL/early TLS as a security control after June 30, 2018.
This revision to the PCI DSS will not affect the Payment Application Data Security Standard (PA-DSS), which will remain at v3.2.
Preparing for June 30, 2018
This particular update doesn’t present any new challenges or urgent action items for organizations already in compliance with the standard. However, for businesses currently relying on SSL/early TLS for their e-commerce environments, this update should serve as a reminder to migrate to a more secure form of encryption by the June 30, 2018 deadline.
SSL/early TLS has been the prevailing form of online encryption for over two decades, but its widespread use and prolonged tenure has afforded attackers and security researchers plenty of time to uncover significant vulnerabilities. Online and e-commerce environments still utilizing SSL/early TLS are the most at risk, and as a result, the DSS is phasing them out.
Encryption requirements for June 30:
- New implementations must not use SSL/early TLS as a security control.
- After June 30, all entities must have stopped using SSL/early TLS as a security control, and use only secure versions of the protocol.* After this date, use of SSL/early TLS will require a compensating control.
* POS POI terminals (and the SSL/early TLS termination points to which they connect) that can be verified as not being susceptible to any known SSL/early TLS exploits may continue using these as a security control after June 30, 2018.
Focal Point stands with the SSC’s guidance and recommends that organizations migrate to TLS 1.2 as soon as possible. For more information regarding SSL/early TLS, check out the PCI SSC’s helpful Resource Guide. Focal Point is closely following the movements of the SSC, and will continue to provide updates and analysis of the guidance they release.
For more insights on PCI compliance, including tips for planning your next assessment, check out our PCI DSS scoping guide.
Want more PCI DSS insights and updates like this?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.