Mike Chandler, Head of Practice, Governance and Security Strategy, UK
4 mins read
Key changes introduced with this latest version are:
Some new additions or clarifications have been added:
2.2.3, 2.3, 4.1
Removal of SSL and early TLS as examples of strong cryptography
If hashed or truncated versions of the primary account number (PAN) exist within the same environment, additional controls will be required (to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN
SMS (Short Messaging Service) added as an example of end-user messaging technology
Clarification that if a web application firewall is configured to alert rather than block, a process must exist to respond to alerts in a timely manner
Clarification on logging requirements from systems that provide a security function, but do not themselves store, process or transmit card data
Clarification that penetration testing must validate any segmentation controls for out-of-scope systems
The biggest change lies with the clarifications on SSL and TLS and the release of this version of the Standard was influenced heavily by the NIST deprecation of the SSL protocol and recent update to NIST Special Publication 800-52r1 “Guidelines for the Selection, Configuration and use of Transport Layer Security (TLS) Implementations”.
With immediate effect, new PCI implementations must use alternatives to SSL and early TLS, which expires as a valid PCI DSS security control on June 30, 2016. Prior to that date, existing implementations must have a Mitigation and Risk Plan in place. Existing POS and POI devices verified as not susceptible to SSL and early TLS exploits may be used after 30th June 2016 (based on current known risk).
New eCommerce implementations need not consider consumer browsers as pre-existing infrastructure that needs to be supported.
The Mitigation and Risk Plan needs to consider the following:
The use of SSL and early TLS also has to be considered for ASV scans as use of the insecure protocols result in a failed scan (CVSS score 4.0 and higher have to be remediated and re-scanned). Prior to June 30, 2016, a scanned entity is allowed to work with the ASV and Provide their Mitigation Plan; the ASV can at their discretion then change the CVSS score and record the submittal of the plan within the scan report.
To support the new version of the Standard, new documentation has also been provided and can be found on the PCI SSC website:
Additionally, several new Informational Supplements have been released this year:
PCI DSS version 3.0 is still valid until June 30, 2015, after which date it will be retired. All PCI DSS validations after this date must use version 3.1.