We’ve felt the need to post this reminder about the changes to the PCI-DSS standards to answer a few possible questions. Please note that it is possible that only some of the information provided below is directly related to your infrastructure, if not none.
- After PCI-DSS v3.2, the SCC has announced v3.2.1. This update does not add new requirements, yet it contains updated dates and some technical clarification. PCI-DSS v3.2 will be valid through 31 December 2018 and retired at 1 January 2019.
- PCI-DSS v.3.2.1 updates will not affect PA-DSS. PA-DSS will remain at v3.2.
- PCI-HSM v1.x will expire at April 2019. Therefore it is best to use a device compatible with PCI-HSMv2.x at any PCI audit after April 2018. It would be wise to take the changes between PCI-HSM v1.x and v2.x (such as Key Lengths, usage of TR-31…) into account and revise your algorithms accordingly.
- For the list of PCI-HSM expiry dates, see PTS Device Testing and Approval Program Guide (https://www.pcisecuritystandards.org/documents/PTS_Program_Guide_v1-8.pdf) Appendix A.12.
- With PCI-DSS v3.1, mechanisms using SSL/early TLS are forced to be removed from the system at 30 June 2016. The industry’s response was that the date was too early, therefore the dates shifted from 30 June 2016 to 30 June 2018. As of 30 June 2018, you shouldn’t be using SSL/early TLS in your cryptographic algorithms.
- Since vulnerabilities and exploits due to the usage of SSL/early TLS are usually based on browsers (such as POODLE, BEAST), proving that there’s no such threat for them, POS POI devices can continue to use SSL/early TLS. Even if this is allowed, weak cipher usage (ex. RC4, MD5) is not allowed for these devices either.
- We’ve seen that for some of our customers the term SSL/early TLS is not clear enough. Safe TLS versions are TLS v1.1 and above. It should be noted that the recommended versions are TLS v1.2 and above.
- For further information about SSL/early TLS, please see PCI SSC’s relevant article: https://www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf