PCI Council publishes new PCI Data Security Standard Version 3.1 and provides very short time to implement new encryption standards.
The PCI Council just published a new version of the PCI Data Security Standard (PCI DSS). The new Version 3.1 (agreement required) is available to use immediately and becomes mandatory on June 30, 2015. If your company’s annual report on compliance is due on July 1 or after, you are required to evaluate your compliance against the new Version 3.1. The PCI Council generally expects all companies to follow the new version when it becomes mandatory, even if you have already completed your report on and attestation of compliance for the year.
As we previously reported, the most significant change in this update is that SSL (Secure Sockets Layer) and earlier versions of TLS (Transport Layer Security), both very popular encryption standards that have been used to help protect online payments, do not satisfy the PCI’s mandatory, strong encryption requirements. This means that if your website’s shopping cart is using one of these legacy encryptions standards, it is going to need to be updated. It may not be a quick or simple fix, especially if other integrated systems have to be updated in order to work with the new encryption.
As of June 30, 2015, all new implementations must not use SSL or early TLS from day one. However, the updated requirements do provide some time to correct pre-existing implementations. Under requirements 2.2.3, 2.3 and 4.1, companies have until June 30, 2016 to implement updated encryption on existing implementations that use SSL and/or early TLS. Companies must prepare and provide a formal “Risk Mitigation and Migration Plan” in order to certify their compliance in the interim.
The Risk Mitigation and Migration Plan must include:
- A description of how the legacy encryption is used, including what data is transmitted, the types and number of systems impacted and the type of environment;
- A risk assessment that is specific to this legacy encryption and corresponding compensating controls to reduce the identified risks;
- A process to monitor for new vulnerabilities associated with SSL and/or early TLS;
- A description of the change control procedures that have been implemented to ensure that SSL and/or early TLS will not be implemented into any new environments; and
- A project plan with a targeted completion date of no later than June 30, 2016.
In addition to the change in encryption requirements, Version 3.1 also includes a number of other minor updates, including reiterating that the PCI DSS applies to all entities that store, process or transmit cardholder data, clarifying that certain requirements only apply to “service providers,” and indicating that the annual risk assessment required by 12.2 must result in a formal, documented analysis of the applicable risks.
The PCI Council has posted the new PCI DSS Version 3.1 and a summary of changes between Version 3.0 and 3.1 (agreement required). For more information, the PCI Council has also posted a short online webinar (registration required) that outlines the revisions in Version 3.1 and an information supplement about migrating from the legacy encryption standards.
Bottom line: With just 75 days before the new Version 3.1 becomes mandatory, companies that are still using legacy SSL or early TLS to encrypt PCI-related communications will need to move quickly to develop their plans to implement the new encryption requirements.
Christopher Avery is a privacy and data security attorney in Davis Wright’s New York City office. He advises clients on U.S. and international privacy laws and regulations pertaining to consumer privacy, employee privacy, data security, and cybersecurity. Christopher regularly counsels companies on how to prepare for, respond to and recover from cybersecurity events.