PCI DSS Version 3.1

With PCI DSS version 3.1 now released, what will the impact to operators be?

PCI DSS version 3.1 has been released as part of the 36 month PCI DSS lifecycle and incorporates changes resulting from the end of the version 3.0 feedback period.

Key changes introduced with this latest version are:

  • Clarification of language (changes made to the Introduction, PCI Applicability, Scoping, Use of Third Parties and Assessment Phases sections)
  • Updates to guidance
  • Removal of redundant language
  • Removal of SSL and early TLS as examples of strong cryptography
  • Minor typographical errors addressed

Some new additions or clarifications have been added:

2.2.3, 2.3, 4.1 Removal of SSL and early TLS as examples of strong cryptography
3.4 If hashed or truncated versions of the primary account number (PAN) exist within the same environment, additional controls will be required (to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN
4.2 SMS (Short Messaging Service) added as an example of end-user messaging technology
6.6 Clarification that if a web application firewall is configured to alert rather than block, a process must exist to respond to alerts in a timely manner
10.6.1 Clarification on logging requirements from systems that provide a security function, but do not themselves store, process or transmit card data
11.3.4 Clarification that penetration testing must validate any segmentation controls for out-of-scope systems

The biggest change lies with the clarifications on SSL and TLS and the release of this version of the Standard was influenced heavily by the NIST deprecation of the SSL protocol and recent update to NIST Special Publication 800-52r1 “Guidelines for the Selection, Configuration and use of Transport Layer Security (TLS) Implementations”.

With immediate effect, new PCI implementations must use alternatives to SSL and early TLS, which expires as a valid PCI DSS security control on 30th June 2016. Prior to that date, existing implementations must have a Mitigation and Risk Plan in place. Existing POS and POI devices verified as not susceptible to SSL and early TLS exploits may be used after 30th June 2016 (based on current known risk).

New eCommerce implementations need not consider consumer browsers as pre-existing infrastructure that needs to be supported.

The Mitigation and Risk Plan needs to consider the following:

  • A description of the data flows and components using the insecure protocols
  • Risk assessment results and the controls that have been put in place
  • Monitoring processes
  • Change control processes (so that SSL and early TLS are not introduced into new environments)
  • Migration Plan overview, with target completion date (no later than 30th June 2016)

The use of SSL and early TLS also has to be considered for ASV scans as use of the insecure protocols result in a failed scan (CVSS score 4.0 and higher have to be remediated and re-scanned). Prior to 30th June 2016, a scanned entity is allowed to work with the ASV and Provide their Mitigation Plan; the ASV can at their discretion then change the CVSS score and record the submittal of the plan within the scan report.

To support the new version of the Standard, new documentation has also been provided and can be found on the PCI SSC website:

  • PCI DSS Summary of changes v3.0 to v3.1
  • RoC Reporting template for v3.1
  • Glossary of Terms, Abbreviations and Acronyms v3.1
  • Merchant and Service Provider AoCs v3.1
  • Merchant SAQs v3.1 (SAQ types A, A-EP, B, B-IP, C, C-VT, D and P2PE-HW)
  • Service Provider SAQ D v3.1
  • SAQ Instructions and Guidelines v3.1
  • PCI DSS Quick Reference Guide v3.1
  • Prioritised Approach for PCI DSS v3.1
  • Prioritised Approach Tool Version 3.1
  • PA-DSS v3.1
  • PA-DSS Summary of Changes v3.0 to v3.1

Additionally, several new Informational Supplements have been released this year:

  • Migration from SSL and Early TLS (to support PCI DSS v3.1 changes)
  • Tokenization Product Security Guidelines
  • Penetration Testing Guidance

PCI DSS version 3.0 is still valid until June 30th 2015, after which date it will be retired. All PCI DSSvalidations after this date must use version 3.1.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.