PCI DSS version 3.1

Mike Chandler, Head of Practice, Governance and Security Strategy, UK
June, 2015
4 mins read

Key changes introduced with this latest version are:

  • Clarification of language (changes made to the Introduction, PCI Applicability, Scoping, Use of Third Parties and Assessment Phases sections)
  • Updates to guidance
  • Removal of redundant language
  • Removal of SSL and early TLS as examples of strong cryptography
  • Minor typographical errors addressed 


Some new additions or clarifications have been added:



2.2.3, 2.3, 4.1

Removal of SSL and early TLS as examples of strong cryptography


If hashed or truncated versions of the primary account number (PAN) exist within the same environment, additional controls will be required (to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN


SMS (Short Messaging Service) added as an example of end-user messaging technology


Clarification that if a web application firewall is configured to alert rather than block, a process must exist to respond to alerts in a timely manner


Clarification on logging requirements from systems that provide a security function, but do not themselves store, process or transmit card data


Clarification that penetration testing must validate any segmentation controls for out-of-scope systems

The biggest change lies with the clarifications on SSL and TLS and the release of this version of the Standard was influenced heavily by the NIST deprecation of the SSL protocol and recent update to NIST Special Publication 800-52r1 “Guidelines for the Selection, Configuration and use of Transport Layer Security (TLS) Implementations”.


With immediate effect, new PCI implementations must use alternatives to SSL and early TLS, which expires as a valid PCI DSS security control on  June 30, 2016. Prior to that date, existing implementations must have a Mitigation and Risk Plan in place. Existing POS and POI devices verified as not susceptible to SSL and early TLS exploits may be used after 30th June 2016 (based on current known risk).


New eCommerce implementations need not consider consumer browsers as pre-existing infrastructure that needs to be supported.


The Mitigation and Risk Plan needs to consider the following:

  • A description of the data flows and components using the insecure protocols
  • Risk assessment results and the controls that have been put in place
  • Monitoring processes
  • Change control processes (so that SSL and early TLS are not introduced into new environments)
  • Migration Plan overview, with target completion date (no later than 30th June 2016)


The use of SSL and early TLS also has to be considered for ASV scans as use of the insecure protocols result in a failed scan (CVSS score 4.0 and higher have to be remediated and re-scanned). Prior to June 30, 2016, a scanned entity is allowed to work with the ASV and Provide their Mitigation Plan; the ASV can at their discretion then change the CVSS score and record the submittal of the plan within the scan report.


To support the new version of the Standard, new documentation has also been provided and can be found on the PCI SSC website:

  • PCI DSS Summary of changes v3.0 to v3.1
  • RoC Reporting template for v3.1
  • Glossary of Terms, Abbreviations and Acronyms v3.1
  • Merchant and Service Provider AoCs v3.1
  • Merchant SAQs v3.1 (SAQ types A, A-EP, B, B-IP, C, C-VT, D and P2PE-HW)
  • Service Provider SAQ D v3.1
  • SAQ Instructions and Guidelines v3.1
  • PCI DSS Quick Reference Guide v3.1
  • Prioritized Approach for PCI DSS v3.1
  • Prioritized Approach Tool Version 3.1
  • PA-DSS v3.1
  • PA-DSS Summary of Changes v3.0 to v3.1


Additionally, several new Informational Supplements have been released this year:

  • Migration from SSL and Early TLS (to support PCI DSS v3.1 changes)
  • Tokenization Product Security Guidelines
  • Penetration Testing Guidance


PCI DSS version 3.0 is still valid until June 30, 2015, after which date it will be retired. All PCI DSS validations after this date must use version 3.1.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs