make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

PCI 3.1 Compliance Deadline is Here

09/09/2015  |  By: Stewart Fey, Director of Technical Services

Share

Social Logo Social Logo Social Logo Social Logo

Recently, the Payment Card Industry Data Security Standard (PCI DSS) introduced the latest compliance changes with its 3.1 version. The deadline for updating to PCI 3.1 is immediately. Now that the dust has settled, here's what you need to know about it.

Under PCI 3.1, Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 are no longer considered effective methods of encryption and should be disabled. This applies to Point of Sale (POS) devices as well. POS transmissions, incoming from customers and outgoing to your credit card processor must be encrypted and can no longer use SSL 3.0 /TLS 1.0.

Time is of the essence, since organizations are expected to implement the PCI 3.1 changes immediately. However, there is a grace period provided your organization adheres to certain conditions.

  • At a minimum, your organization must supply a detailed upgrade plan in writing. It should clearly outline how your organization will execute the above changes by June 30, 2016.

Not sure which SSL/TLS version your organization is currently using?

Visit www.ssllabs.com to test your Internet-facing e-commerce systems. You’ll be able to confirm if your SSL/TLS version is 3.0/1.0 or older.

If you’ve determined that your SSL/TLS version isn’t PCI 3.1 compliant, the next step would be to disable all versions of SSL and any versions of TLS older than 1.1.

One caveat – Older Internet Explorer versions might not have a TLS protocol-enabled by default. If that’s the case, you’ll need to enable the TLS protocol first before you can disable SSL versions 2.0 or 3.0.

Regardless of whether you address the PCI 3.1 upgrade immediately or by the June 30, 2016 deadline, every organization and its people, partners and vendors must comply. The sooner, the better. PCI 3.1 compliance strengthens security across the board.

Many organizations find the process too daunting or time-consuming to handle on their own. If that’s the case, consider working with an outside consultant well versed in PCI 3.1 compliance. They can assess your current systems, explain the requirements in more detail and walk you through the process to meet compliance standards in a timely and effective manner.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.

Get a Quote for PCI Services

Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.

Download LBMC's PCI Compliance Guide

Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.

Download the PCI Guide

Posted in: PCI Compliance