The PCI Security Standards Council (PCI SSC) has published a minor revision to the PCI Data Security Standard (PCI DSS) many businesses use to safeguard payment card data. The latest version 3.2.1 replaces the previous version 3.2 to mainly account for migrations to newer and more secure versions of Secure Socket Layer (SSL) and early Transport Layer Security (TLS), given previous migration deadlines have passed.
“It is critically important that organizations upgrade to TLS v1.2 or higher as soon as possible, and disable any fallback to SSL/early TLS,” as the PCI SSC noted in the latest guidelines.
PCI SSC further recommends that after June 30, 2018, SSL/early TLS should not be used as a security control to meet any PCI DSS requirements attempting to demonstrate strong cryptography.
In summary, the specific changes included in the latest DSS 3.2.1 release are:
- Removal of notes referring to an effective date of 1 February 2018 for applicable requirements, as this date has passed.
- Updates to applicable requirements and Appendix A2 to reflect that only POS POI (point of sale point of interaction) terminals and their service provider connection points may continue using SSL/early TLS as a security control after 30 June 2018.
- Removal of multi-factor authentication (MFA) from the compensating control example in Appendix B, as MFA is now required for all non-console administrative access; addition of one-time passwords as an alternative potential control for this scenario.
PCI SSC warned that online and e-commerce environments using older versions of SSL/TLS are the most susceptible to vulnerabilities and should be upgraded immediately.