PCI DSS 3.2


Here we go again…. I am writing this to, hopefully bring you the best and simplest understanding of your roles, changes and responsibilities. In December 2015 the PCI/DSS council released a bulletin containing changes which are required to be implement by June 2016. So below, in addition to all the PCI/DSS items you are currently doing, these below will need to be implemented no later than June 30th 2016. Lucky for us =) this should be the only 2016 change from the council…. But you can never say for sure.

In  April  2015,  PCI  SSC  issued  initial  guidance  and  removed  SSL  as  an  example  of  strong  cryptography  from  the  PCI  Data  Security  Standard (PCI DSS), stating that it can no longer be used as a security control after 30, June 2016.

After seeking extensive marketplace feedback, the PCI Security Standards Council revised and updated sunset dates.

First item

All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016.

Highly suggest you go a bit further than this due to current issues with TLS 1.1 and the likelihood that it will soon be compromised. I suggest you make certain TLS 1.1 AND 1.2 are available on your server, so that when 1.1 is cracked it can easily be disabled without a downtime issue for your store. Additionally, while you are at it, make sure the RC4 Cipher is disabled on your server as well. Authorize.net needs this and it’s weak and a PCI fail in and of itself. If you are confused visit the SSL tester here and send the results to your hosting company, te4ll them you want an A+ rating like ours.

Second item

Consistent with the existing language in the DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater

We covered this above already.

Third item

All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018

This really doesn’t concern us, except to keep up with information from our processors such as Authorize . net, Linkpoint, PayPal etc and make the changes they may require going forward.

Forth item

The use of SSL/TLS 1.0 within a POI terminal that can be verified as not being susceptible to all known exploits for SSL and early TLS, with no demonstrative risk can be used beyond June 2018 consistent with the existing language in the DSS v3.1 for such an exception

This also if for our processors =)

Conclusion

This is a reminder, the SSL/early TLS updates in PCI DSS v3.2 were made public in December. We should all already be confronting this issue. Remember to read the Bulletin on Migrating from SSL and Early TLS for more information.

If you are just getting started, or want to check your processes, I recommend our basic PCI Guide for merchants for you.