A Guide to the PCI DSS 3.2 Migration Requirement
If you are a merchant of any size (yes, even you, small business owners), there are some very important required compliance change deadlines that are quickly approaching. Before you tune out because this “probably doesn’t apply to you,” it’s essential to understand that these changes require action at the site or store level.
If you are currently using a SSL/early TLS protocol as your form of secure communication within your business, the upcoming PCI DSS implementation deadline is something that you need to pay attention to. SSL/early TLS are both channels of system communications that are used to authenticate systems and protect data transmitted between two or more sources from being breached.
All merchant levels are affected by these PCI DSS changes, including small businesses.
As of June 30th, SSL/early TLS protocol will no longer satisfy the requirement for payment card data encryption, and businesses that utilize these protocols must migrate to modern, more secure, cryptographic measures.
Some migration options include:
- Upgrading to a current version of TLS with secure implementation
- If this option is chosen, it cannot accept fallback to SSL/early TLS
- Field or application-level encryption that is then sent over existing SSL/early TLS
- Establish a toughly encrypted session before sending information over SSL
To add additional security to your network, utilize multi-factor authentication in combination with any of the above solutions. For businesses that use any kind of remote access, it is now required to implement multi-factor authentication to protect your Card Data Environment. Remote access points now include support servers and remote desktop protocol use, even if a corporate network is being utilized.
GET PREPARED BEFORE IT'S TOO LATE
SSL/early TLS systems are returning scores of 4.3 in the Common Vulnerability Scoring System (CVSS), which places merchants with these scores in a medium to high risk category. Once a business falls into this category they must conduct additional scans and make corrections to the affected areas using an Approved Scanning Vendor (ASV), such as NuArx. As a part of the PCI DSS assessment process, store owners will have to submit a Risk Mitigation and Migration Plan to remain compliant.
The following elements should be detailed within the Plan:
- How your protocols are used
- Environment (payment channel)
- Type of data transmitted
- Type and quantity of systems supporting the protocols (POS systems)
- Risk assessment results
- Risk reduction controls that are currently in place
- Risk monitoring processes
- Migration completion date
While POI merchants are in the clear for now, they are strongly encouraged to upgrade to newer SSL/TLS systems. While POIs are not currently showing vulnerabilities – there is no telling what the future might hold for these systems. If the choice is made to continue utilizing SSL/early TLS systems in conjunction with POI systems and the merchant is determined by a ASV to be resistant to vulnerabilities, a petition may be submitted to PCI Security Standards Council detailing why he/she disagrees with the National Vulnerabilities Database rating. Here at NuArx, our customers are taken care of.
When you sign up for our Continuous Compliance Management, you can be sure that all of your PCI DSS requirements are met and that we, together, are doing everything we can to Protect Your Brand | Business | Customers.
www.NuArxInc.com | Facebook: @NuArxInc | Twitter: @NuArxInc | LinkedIn: @NuArx | 877-556-8279
PCI Security Standards Council. “Migrating from SSL and Early TLS.” PCI Data Security Standards, Apr. 2016, www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf?agreement=true&time=1515507310696.