For those tempted to delay migration away from Secure Sockets Layer (SSL)/early Transport Layer Security (TLS)—don’t wait! This includes all versions of SSL and version 1.0 of TLS (TLS v1.1 and newer are fine).
For Payment Card Industry Data Security Standard (PCI-DSS) compliance, you can’t simply migrate sometime before your next PCI audit. Rather, you must have compliant scans in every quarter, and your Approved Scanning Vendor (ASV) may no longer issue an Attestation of Scan Compliance (AoSC) with SSL/early TLS. Considering the fact that these scans are required each quarter, the next audit might fail if any quarter is not compliant. However, this might not apply to those seeking first-time compliance.
This is Now
June 30, 2018 was the last day that organizations could be compliant while running SSL and early TLS within the public, untrusted network (i.e. the Internet). Note that SSL and early TLS are still fine to use within the cardholder data environment or any trusted network.
POS POI Terminals
However, there is an exception: existing Point of Sale/Point of Interaction (POS/POI) terminals using SSL/early TLS might be compliant. New POS/POI terminal implementations will not be compliant with SSL/early TLS, even if already purchased.
Are your POS POI terminals compliant? PIN Transaction Security (PTS) devices can be checked here: https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices
Additionally, if new exploits are introduced that affect POI terminals and cannot be addressed by a patch or compensating controls, the POI terminals will need to be updated immediately. Compliant POS/POI terminals using SSL/early TLS might lose their compliancy with future-identified vulnerabilities.
Security Controls Need Compensating Controls
If SSL/early TLS is being used as a security control for PCI-DSS (not for POS POI) after the June 30 deadline, ensure compensating controls are implemented to mitigate the risk associated with its use. As before the deadline, a risk mitigation and migration plan will be required.
Individual Qualified Security Assessors (QSAs) will provide their own discretion as to what constitutes an acceptable compensating control. They will also evaluate it through the PCI-DSS Appendices B and C.
We cannot be sure how long the Payment Card Industry Security Standards Council (PCI-SSC) will allow compensating controls for this, so act on this ASAP! Talk with your QSA today to plan and implement a compliant compensating control. Again, you cannot risk missing a quarter.
If SSL/early TLS is present but is not being used for PCI compliance, that use can continue, though it is not advised.
Related resources include:
Author: Steve Maxwell
Steve has over 18 years of experience, ranging from software development, software quality, performance engineering, information security, and internal audit. Before TrustedSec, Steve performed a number of functions supporting security initiatives within the retail and healthcare industries. He has presented to and trained hundreds on automation, performance engineering, and attack mitigation techniques.