Finally, a minor version of PCI DSS 3.0 standard (now version 3.1, after the v1.2.1 many years ago), has been released by the PCI SSC to address the vulnerable SSL/early TLS protocols with addition of few clarifications of other requirements. PCI DSS v3.1 is effective immediately. PCI DSS v3.0 will be retired on 30 June 2015.
Why suddenly a v3.1 out of normal PCI SSC standard life cycle? The PCI SSC receives feedbacks from all industry experts including institutes like NIST and SANS in light of evolving technology and threats to cardholder data. Which in this case, was POODLE attack on SSL/early TLS. This one being very critical, PCI SSC has published minor version, PCI DSS v3.1 addressing mainly the insecure use of SSL as an encryption protocol within a Cardholder Data Environment (CDE).
Following are the Major Changes in PCI DSS 3.1:
So don’t use SSL/early TLS, that’s it! That Cold! No further guidance!!??
No, For Requirements 2.2.3, 2.3 and 4.1, PCI DSS v3.1 has added following note-
Which means if you are currently being assessed for PCI DSSv3.0 and if you want to know what more you need to mainly for PCI DSS v3.1, then you just need to maintain formal risk mitigation and migration plan for SSL and/or early TLS, which should be executed before June 30th, 2016.
So what all should this risk mitigation and migration plan contain at a minimum?
All above documents are available on https://www.pcisecuritystandards.org/security_standards/documents.php
We are opening up the debate in on our own blog post. Feel free to discuss.