Recently, the PCI Security Standards Council issued Payment Card Industry Data Security Standards (PCI DSS) version 3.1 (PCI DSS v3.1), with “minor updates and clarifications” to PCI DSS v3.0, which went into effect on January 1, 2015.
The most significant change: PCI DSS v3.1 prohibits the use of any version of SSL for any PCI DSS standard requiring “strong cryptography.” This is effective immediately with respect to new security implementations. Otherwise affected organizations must have a formal risk mitigation and migration plan in place to move away from SSL and must stop using SSL in existing implementations by June 30, 2016.
As a result of the publication of v3.1, PCI DSS v3.0 will be retired on June 30, 2015.
As did PCI 3.0, PCI DSS v3.1 has the greatest impact on e-commerce merchants who partner with third parties for payment card data collection, along with third party service providers who remotely manage merchant systems and networks.
Up to version 2.0 of the PCI DSS, fully outsourcing an e-commerce payment system via a redirect payment company put the web environment out of scope. The web environment didn’t touch payment card data, and therefore did not have to meet PCI requirements.
But now, certain redirect scenarios—in particular those that utilize client-side scripts and direct posts—will require merchants to implement over one hundred security controls. These controls include vulnerability scanning and penetration testing.
To achieve compliance, an organization must:
- Determine which service providers store, possess, process, and/or transmit cardholder data, and which could impact the security of the “cardholder data environment”
- By June 30, 2015, revise written agreements with the affected service providers to include the provider’s acknowledgement of responsibility for securing cardholder data and cardholder data environment
- Consider adding a unique authentication credential if a service provider has remote access to the organization’s premises
- Consider required service providers to conduct penetration testing of the cardholder data environment
- Consider requiring the service provider to provide results of an independent evaluation regarding the provider’s implementation and adherence to applicable PCI DSS requirements
- For any controls requiring strong encryption, stop using SSL for new security implementations immediately
- Create a risk mitigation and migration plan with which to transition away from SSL for existing implementations as a strong security control by June 30, 2016
BAI Security’s IT Security Assessments help retailers gauge their PCI compliance readiness, identify gaps, and can assist in developing a remediation plan. BAI Security Assessments utilize consistently proven (repeatable) methodology and established industry best practices to gauge an organization’s compliance with applicable regulatory requirements. Find out more here, and let us know how we can help you to achieve PCI DSS 3.1 compliance efficiently and effectively.
Remember too that PCI DSS is a baseline for security. To comprehensively protect sensitive data and systems from cyberattacks, many retailers need to move beyond PCI DSS. BAI Security can work with you to develop a risk-based security plan that makes sense for your business.