PCI Council Gives Merchants Reprieve on PCI 3.1 Updates

Shawn Shifflett, CISSP, QSA, Senior Practice Director, PCI

The Payment Card Industry Security Standards Council (PCI SSC) released an update to its vulnerability standards and is giving merchants until June 2018 to migrate their security protocols, even though waiting is not recommended.

Need a refresher? Read up on the summary of PCI DSS 3.1 changes: https://www.coalfire.com/The-Coalfire-Blog/February-2015/What-does-PCI-DSS-3-1-and-PA-DSS-3-1-mean-for-you

Secure Sockets Layer (SSL) and some Transport Layer Security (TLS) encryption protocols have held known vulnerabilities for many years. Following a slew of high-profile breaches caused by POODLE, Heartbleed and Freak, the PCI SSC took action in April 2015, mandating that all SSL and early TLS be replaced with new technology by before June 30, 2016. That date, at least for merchants, has been postponed until June 30, 2018.
The PCI SSC has released several statements regarding this migration extension. In total, the revisions state:

For Merchants:

  • Merchants are encouraged to migrate to a TLS 1.1 or greater service offering as soon as possible, but the deadline for migration has been extended to June 2018. For merchants continuing to use SSL and early TLS, and implemented Risk Mitigation and Migration Plan will be required until migration is completed.
  • All new implementations must be enabled with TLS 1.1 or greater

For Service Providers (including acquirers, processors, gateways, and those offering payments services):

  • All service providers MUST provide a TLS 1.1 or greater service offering by June 2016 for merchants that wish to migrate prior to the June 2018 deadline.
  • Patches to legacy service offerings in production prior to Dec. 18, 2015, to support TLS 1.1 or TLS 1.2 are not considered new implementations, but are considered a TLS 1.1 or greater service offering.
  • New service offerings must meet the directive to only support TLS v1.1 and greater.
  • For those service providers continuing to support SSL and early TLS, an implemented Risk Mitigation and Migration Plan will be required until SSL and early TLS are no longer supported.

How this will affect your business

Coalfire has been Navis® scanning customers for SSL and TLS vulnerabilities for some time now. Because there is no patch available for SSL and the PCI Council deemed last year that SSL and early TLS will not protect cardholder data, we do not pass merchants with these known vulnerabilities without proper documentation. This will not change.
All SSL and early TLS are no longer acceptable for use per the PCI SSC. The extension date is merely to provide time to remediate these known issues. They should be addressed right away.

Which Environments are Most Vulnerable?

Because virtually all ecommerce websites are SSL/TLS-enabled for cryptography, they are at highest risk from SSL/TLS vulnerabilities. Other applications that likely use SSL/TLS are:

  • Virtual payment terminals
  • Back-office servers
  • Web/application services

The PCI Council reported that, as of November 2015, there were still 200,000 vulnerable devices on the Internet, which is likely what led to this deadline extension.

How Do I Find Out If I’m Using SSL/TLS?

You could contact your terminal providers, gateways, service providers, vendors, and acquiring bank to determine if the applications and devices you use have the updated encryption protocol. However, a much easier, more thorough, and less time-consuming option would be to conduct a penetration test on all of your systems to find any known vulnerabilities.

What do I do If I’m Using SSL/TLS?

If you’re using an existing implementations of SSL and early TLS and you need to continue using it, you must have a Risk Mitigation and Migration Plan in place. Some key points to consider before implementing new software and hardware are:

  • Identify all system components and data flows relying on or supporting the vulnerable protocols.
  • For each identified system component or data flow, identify and prioritize the business need.
  • Immediately remove or disable non-critical vulnerable protocols.
  • Identify technologies to replace the vulnerable protocols, such as cloud-based databases, point-to-point encryption, and encrypted virtual terminals.

Coalfire can work with you to determine whether your environment is at risk for SSL or early versions of TLS vulnerabilities, as well as make recommendations for improving the security of your data environment.

In the meantime, you have until June 30 to develop a plan to comply.

Shawn Shifflett


Shawn Shifflett — CISSP, QSA, Senior Practice Director, PCI

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS