54419_PCI-DSS V3.1 SSL / TLS 1.0 Requirements

Expand / Collapse

Type of Security Control: Technical | Corrective

Purpose: Secure / Encrypt data transmissions

Impact: High

Applies to: PCI-DSS V3.1 Item 2.2.3 / 2.3 / 4.1

The following are the requirements, as outlined by PCI-DSS v3.1, that requires customers to "turn off" or otherwise disable the ciphers for TLS 1.0 or less. This is required to be completed by June 30, 2018. Until it is completed, each customer will receive a negative mark on monthly compliance scans until they can prove through a documented exception request for an exception. In order for an exception to be approved, PCI-DSS requires that each company document a risk mitigation and migration plan.  

Applicable Compliance Statements: PCI-DSS V3.1: (example -  full source located at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf)

2.2.3 / 2.3 / 4.1: Implement additional security features for any required services,protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP,etc. Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date,existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.Effective immediately, new implementations must not use SSL or early TLS.POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.

Ensuring that all insecure services, protocols, and daemons are adequately secured with appropriate security features makes it more difficult for malicious individuals to take advantage of commonly used points of compromise within a network.Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57,OWASP, etc.).Regarding use of SSL/early TLS: Entities using SSL and early TLS must work towards upgrading to a strong cryptographic protocol as soon as possible.Additionally, SSL and/or early TLS must not be introduced into environments where they don’t already exist. At the time of publication, the known vulnerabilities are difficult to exploit in POS POI payment environments. However, new vulnerabilities could emerge at any time, and it is up to the organization to remain up-to-date with vulnerability trends and determine whether or not they are susceptible to any known exploits.Refer to the PCI SSC Information Supplement Migrating from SSL and Early TLS for further guidance on the use of SSL/early TLS. 



Internal (to the customer) risk mitigation and migration plan must be completed and documented according to your internal policies and standards.



Internal (to the customer) risk mitigation and migration plan must be completed and documented according to your internal policies and standards.

Rate this Article:

Category: Security

Last Modified:Thursday, December 31, 2015 2:20 PM

Rated 4 stars based on 1 vote

Article has been viewed 5,690 times.

Email Article Email Article

Social Bookmarks Social Bookmarks