PCI DSS 3.0 Revised – Version 3.1 Scheduled for April 2015

PCI DSS Version 3 Changes:

In a nutshell, all merchants must upgrade from SSL protocol to the most current, secure version of TLS to meet PCI DSS version 3.1 scheduled to roll out in April. Secure Sockets Layer (SSL) is no longer an acceptable protocol for use to protection cardholder data based on the PCI standards. It is not deemed as a “strong cryptography” solution anymore.

PCI DSS version 3.0 was just released in November 2014 and just rolled out a few months ago, and just about 4 months after that release, the PCI Security Standards Council has decided to revise it to version 3.1 to address the more recent SSL v3.0 vulnerabilities (Heartbleed flaw, POODLE flaw and FREAK attack) and to provide additional guidance on requirements 2.2.3 ( encryption over VPN, FTP, or similar services), requirement 2.3 (encryption for web based mgmt), and 4.1 (encryption of card data over open, public networks).

If you are a merchant or a service provider subject to PCI DSS compliance, it’s important to inventory your assets to determine how many of them still using SSL. From there, development a plan to upgrade them to TLS v1.2 or whatever version that is current at the time of your reading.


Leave a Reply