Changes from PCI DSS 3.0 to 3.1: What You Need to Know

The first half of 2015 brought a series of PCI standard updates that entities must abide by. On June 30, 2015, the Payment Card Industry Data Security Standard 3.0 was officially retired and replaced by the DSS 3.1. But what are the changes, and what does it mean for your PCI compliance? Read this walkthrough of what changed from PCI Data Security Standard Version 3.0 to Version 3.1 to keep your data security up-to-date.

The Nature of Changes

“We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data,” said Stephen W. Orfei, the PCI Security Standards Council General Manager. In the Summary of Changes, the SSC outlined three types of changes that occur between PCI DSS 3.0 and 3.1: clarification, additional guidance, and evolving requirement.

The most common change between these documents is for clarification, meaning the wording has been adjusted to assure clarity in the standard’s intent. Similarly, “additional guidance” is added information to expand, define, instruct, or otherwise provide further information for a particular topic. “Evolving requirements” refers to adjustments in the policy that are made to accommodate changing industry and market behavior.

The Big Change: SSL

The SSC’s Summary of Changes makes clear the one source of major change for the DSS 3.1: the removal of SSL as a standard for securing PCI data. While SSL is still included in the DSS, it has been noted in the Summary that “SSL and early TLS are no longer considered to be strong cryptography and cannot be used as a security control after June 30, 2016,” according to the summary of changes.

Many SSL vulnerabilities have been exposed, given its age and broad use. The vulnerability found in late 2014 known as “POODLE” (Padding Oracle On Downgraded Legacy Encryption) poses a threat of decrypting data secured by SSL 3.0 that cannot be eliminated with a software patch. Though TLS superseded SSL 3.0 with added security features and bug fixes, SSL is still used on many servers, exposing users to these vulnerabilities. For this reason, the Council recommends that entities migrate from SSL sooner than the required date.

Planning Your Migration and Mitigation

The Council has also provided a supplemental guide, Migrating from SSL and Early TLS, which explains how existing implementations of SSL and future implementations must be handled. Risk mitigation plans and a plan of migration to a minimum of TLS v1.1 must be put in place by entities still using SSL. The SSC notes, however, that not all implementations of TLS v1.1 are considered secure, so TLS v1.2 is strongly encouraged.

How to Stay PCI Compliant

You don’t want to take chances when it comes to your data’s PCI compliance. In addition to keeping up with new PCI deadlines, it’s important to find the right hosting provider that constantly assesses your compliance so your data is never at risk of being compromised. With the right provider, you can have 24/7 support that will keep you up-to-date and secure. Learn more about OnRamp’s PCI compliant hosting.