PCI DSS 3.2 and the Use of SSL/Early TLS as a Security Control
PCI DSS 3.2 is expected by the end of April 2016, and Dara Security has provided an overview of the expected changes.
One of the changes discussed is about the use of SSL/early TLS as a security control. The date to stop the use of SSL/early TLS has been extended to June 30, 2018; however, new implementation must not use SSL/early TLS at all.
Further, if you continue to use SSL/early TLS until June 30, 2018, you must have a “Risk Mitigation and Migration Plan” in place. This document should provide details about your plans to migrate to a secure protocol and the controls you’re using to reduce risks until your migration is complete.
The PCI Security Standards Council provides a document about migrating from SSL and Early TLS, which includes risks of using SSL/early TLS, the PCI DSS requirements affected, information about a Risk Mitigation and Migration Plan, and Frequently-Asked Questions.
For information about keeping your customers’ sensitive information secure with InOrder, please contact us.
No Comments