With PCI DSS version 3.1 now released, what will the impact to operators be?
PCI DSS version 3.1 has been released as part of the 36 month PCI DSS lifecycle and incorporates changes resulting from the end of the version 3.0 feedback period.
Key changes introduced with this latest version are:
Some new additions or clarifications have been added:
|2.2.3, 2.3, 4.1||Removal of SSL and early TLS as examples of strong cryptography|
|3.4||If hashed or truncated versions of the primary account number (PAN) exist within the same environment, additional controls will be required (to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN|
|4.2||SMS (Short Messaging Service) added as an example of end-user messaging technology|
|6.6||Clarification that if a web application firewall is configured to alert rather than block, a process must exist to respond to alerts in a timely manner|
|10.6.1||Clarification on logging requirements from systems that provide a security function, but do not themselves store, process or transmit card data|
|11.3.4||Clarification that penetration testing must validate any segmentation controls for out-of-scope systems|
The biggest change lies with the clarifications on SSL and TLS and the release of this version of the Standard was influenced heavily by the NIST deprecation of the SSL protocol and recent update to NIST Special Publication 800-52r1 “Guidelines for the Selection, Configuration and use of Transport Layer Security (TLS) Implementations”.
With immediate effect, new PCI implementations must use alternatives to SSL and early TLS, which expires as a valid PCI DSS security control on 30th June 2016. Prior to that date, existing implementations must have a Mitigation and Risk Plan in place. Existing POS and POI devices verified as not susceptible to SSL and early TLS exploits may be used after 30th June 2016 (based on current known risk).
New eCommerce implementations need not consider consumer browsers as pre-existing infrastructure that needs to be supported.
The Mitigation and Risk Plan needs to consider the following:
The use of SSL and early TLS also has to be considered for ASV scans as use of the insecure protocols result in a failed scan (CVSS score 4.0 and higher have to be remediated and re-scanned). Prior to 30th June 2016, a scanned entity is allowed to work with the ASV and Provide their Mitigation Plan; the ASV can at their discretion then change the CVSS score and record the submittal of the plan within the scan report.
To support the new version of the Standard, new documentation has also been provided and can be found on the PCI SSC website:
Additionally, several new Informational Supplements have been released this year:
PCI DSS version 3.0 is still valid until June 30th 2015, after which date it will be retired. All PCI DSSvalidations after this date must use version 3.1.