Hello PCI 3.2. Goodbye SSL and Early TLS.

February 5, 2018
Compliance, Data Protection, Financial Services, IT Security, Retail

PCI blog cover, blue and white

PCI DSS 3.2 launched April 2016, but components of it weren’t slated to go into effect until 2018. It’s 2018 now, and one of those components has a fast-approaching deadline.

June 30, 2018 is the last day for disabling Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) and implementing a more secure encryption protocol to meet the PCI DSS requirements for safeguarding payment data and helping to ensure retail data security.

Specifically, SSL and early TLS can’t be used as a security control to meet the following PCI DSS requirements:

Screencapture PCI DSS requirements solved using SSL and TLS

Who is at risk?

If your organization stores, processes, or transmits payment cardholder data and/or sensitive authentication data and is still using the SSL and early TLS protocols, it’s time to get off the dime and move on. There are a number of serious vulnerabilities in SSL and early TLS that, left unaddressed, can put your business at risk of a data breach. Even though the vulnerabilities at been known about for years, there are no known fixes or patches. Organizations with e-commerce sites may be at the greatest risk due to the nature of web-based environments.

Who is exempt?

Point-of-sale payment terminals and the SSL and early TLS termination points they connect to are exempt, and can continue using the SSL and early TLS protocols after the June 30, 2018 deadline. However, they must have up-to-date patches, and ensure only the necessary extensions are enabled.

Your to-do list

To mitigate the potential for a data breach — and meet the PCI DSS requirements, the PCI Security Standard Council recommends migrating to a minimum of TLS 1.1. TLS 1.2 is recommended. This is the only reliable method to protect against the current protocol vulnerabilities. More information can be found in the PCI Security Standards Council’s 2016  information supplement, Migrating from SSL and Early TLS.

Mitigate your risks with help

Keeping pace with ever-changing security threats, as well as the requirements of PCI DSS, is time-consuming, labor-intensive and costly for many organizations. One way to lighten the load it to partner with a third-party IT solutions provider that has an in-depth understanding of the PCI DSS, stays current with its latest iterations, and knows how to implement the PCI-specific security controls into the IT services integral to your business. US Signal is one of those companies.

US Signal offers a wide array of IT solutions to help organizations in the retail industry maximize their technology resources and protect their data. The company continues to make extensive investments in the PCI-compliant infrastructure that underlies its cloud and colocation solutions, as well as in developing the requisite compliance expertise.

To learn how US Signal can help your organization, call 866.2. SIGNAL or email [email protected]