Here we go again…. I am writing this to, hopefully bring you the best and simplest understanding of your roles, changes and responsibilities. In December 2015 the PCI/DSS council released a bulletin containing changes which are required to be implement by June 2016. So below, in addition to all the PCI/DSS items you are currently doing, these below will need to be implemented no later than June 30th 2016. Lucky for us =) this should be the only 2016 change from the council…. But you can never say for sure.
In April 2015, PCI SSC issued initial guidance and removed SSL as an example of strong cryptography from the PCI Data Security Standard (PCI DSS), stating that it can no longer be used as a security control after 30, June 2016.
After seeking extensive marketplace feedback, the PCI Security Standards Council revised and updated sunset dates.
All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016.
Highly suggest you go a bit further than this due to current issues with TLS 1.1 and the likelihood that it will soon be compromised. I suggest you make certain TLS 1.1 AND 1.2 are available on your server, so that when 1.1 is cracked it can easily be disabled without a downtime issue for your store. Additionally, while you are at it, make sure the RC4 Cipher is disabled on your server as well. Authorize.net needs this and it’s weak and a PCI fail in and of itself. If you are confused visit the SSL tester here and send the results to your hosting company, te4ll them you want an A+ rating like ours.
Consistent with the existing language in the DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater
We covered this above already.
All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018
This really doesn’t concern us, except to keep up with information from our processors such as Authorize . net, Linkpoint, PayPal etc and make the changes they may require going forward.
The use of SSL/TLS 1.0 within a POI terminal that can be verified as not being susceptible to all known exploits for SSL and early TLS, with no demonstrative risk can be used beyond June 2018 consistent with the existing language in the DSS v3.1 for such an exception
This also if for our processors =)
This is a reminder, the SSL/early TLS updates in PCI DSS v3.2 were made public in December. We should all already be confronting this issue. Remember to read the Bulletin on Migrating from SSL and Early TLS for more information.
If you are just getting started, or want to check your processes, I recommend our basic PCI Guide for merchants for you.