News Feature | April 27, 2015

PCI DSS 3.1 Data Security Standard Published

Christine Kern

By Christine Kern, contributing writer

Achieve Invulnerable Payment Data

The PCI Security Standards Council (PCI SSC) has published PCI DSS Version 3.1 and supporting guidance, designed to help organizations address vulnerabilities that may place their payment data at risk. Version 3.1 is available on the PCI SSC website, and PCI DSS Version 3.0 is set to be retired on June 30, 2015.

According to PCICompliance.org, “the major driver of PCI DSS 3.1 is the broader industry’s conclusion that SSL version 3.0 is no longer a secure protocol and therefore must be addressed by the PCI DSS.”

The revisions provide an incremental set of enhancements to the PCI DSS 3.0 standard that was introduced in November 2013, including a shift away from Secure Sockets Layer (SSL), which has been proven to be cryptographically insecure, to the more secure TSL standard.

There is a three-year cycle between major updates of PCI DSS and, outside of that cycle, the standard can be updated to react to threats as needed.

“In this case, the Secure Sockets Layer protocol is broken, and unlike many of the vulnerabilities we see out there, there’s no patch to fix it,” Troy Leach, CTO of the PCI Security Standards Council (SSC), told eWEEK. “This combined with its widespread use makes it a critical vulnerability and one that organizations need to address immediately.”

The following resources have also been made available to help understand PCI DSS 3.1 and its impact to security programs:

  • Summary of Changes from PCI DSS Version 3.0 to 3.1, which highlights the revisions made.
  • PCI SSC Information Supplement: Migrating From SSL and Early TLS, which provides guidance on the use of interim risk mitigation approaches, migration recommendations, and alternative options for strong cryptographic protocols.
  • Understanding PCI DSS Version 3.1, an on-demand webinar outlining the revisions and guidance.

Supporting documents, including Self-Assessment Questionnaires (SAQ); Attestations of Compliance (AOC); Report on Compliance (ROC) Template; PCI DSS Glossary of Terms, Abbreviations, and Acronyms; and updates to the Frequently Asked Questions (FAQ) Knowledge Based, all of which will be published shortly.