On Thursday, May 17, the PCI Security Standards Council (PCI SSC) released an updated version of the PCI DSS standard, primarily to include clarifications and minor revisions around controls that referenced SSL/early TLS. The new version removes notes referring to the effective date of February 1, 2018 for applicable requirements, as this date has passed. Unlike prior PCI DSS version updates, this update does not include any new control requirements. With that in mind, there are some key specifics that are applicable to merchants and service providers.
- POS POI termination points, including but not limited to service providers, such as an acquirer or acquirer processor, can continue allowing the use of SSL/early TLS for merchants when it can be shown that the service provider has controls in place that mitigate the risk of supporting those connections for the service provider environment.
- Service providers are required to document and maintain a Risk Mitigation and Migration Plan (RMMP) to detail the controls implemented to mitigate use of the insecure communication channel. Service Providers should also regularly communicate with customers to ensure they are aware of SSL/early TLS risks (applicable to PCI DSS Req. 2.2.3, 2.3, 4.1, Appendix A2).
- POS POI terminals that are verified to not be susceptible to known exploits are permitted to connect to service provider payment processing endpoints that support early TLS (applicable to PCI DSS Req. 2.2.3, 2.3, 4.1, Appendix A2).
- Should a new exploit be introduced that results in the POS POI being susceptible, the POS POI is required to be updated immediately.
The new PCI DSS v3.2.1 ‘Requirements and Security Assessment Procedures’ documentation is now available on the PCI SSC website, with the PCI validation templates (ROC, AOC, and SAQ) forthcoming.
Merchants and service providers currently engaged with compliance validation efforts may continue to use PCI DSS v3.2 through 12/31/2018; after which, only PCI DSS v3.2.1 is permitted to be used for compliance validation activities.
While this is a minor update compared to most, with minimal impact to most organizations, the changes are still important to understand. Should you have any questions, we are here to help keep you on a secure path!