PCI Council publishes new PCI Data Security Standard Version 3.1 and provides very short time to implement new encryption standards.The PCI Council just published a new version of the PCI Data Security Standard (PCI DSS). The new Version 3.1 (agreement required) is available to use immediately and becomes mandatory on June 30, 2015. If your company’s annual report on compliance is due on July 1 or after, you are required to evaluate your compliance against the new Version 3.1. The PCI Council generally expects all companies to follow the new version when it becomes mandatory, even if you have already completed your report on and attestation of compliance for the year. As we previously reported, the most significant change in this update is that SSL (Secure Sockets Layer) and earlier versions of TLS (Transport Layer Security), both very popular encryption standards that have been used to help protect online payments, do not satisfy the PCI’s mandatory, strong encryption requirements. This means that if your website’s shopping cart is using one of these legacy encryptions standards, it is going to need to be updated. It may not be a quick or simple fix, especially if other integrated systems have to be updated in order to work with the new encryption. As of June 30, 2015, all new implementations must not use SSL or early TLS from day one. However, the updated requirements do provide some time to correct pre-existing implementations. Under requirements 2.2.3, 2.3 and 4.1, companies have until June 30, 2016 to implement updated encryption on existing implementations that use SSL and/or early TLS. Companies must prepare and provide a formal “Risk Mitigation and Migration Plan” in order to certify their compliance in the interim. The Risk Mitigation and Migration Plan must include:
- A description of how the legacy encryption is used, including what data is transmitted, the types and number of systems impacted and the type of environment;
- A risk assessment that is specific to this legacy encryption and corresponding compensating controls to reduce the identified risks;
- A process to monitor for new vulnerabilities associated with SSL and/or early TLS;
- A description of the change control procedures that have been implemented to ensure that SSL and/or early TLS will not be implemented into any new environments; and
- A project plan with a targeted completion date of no later than June 30, 2016.