On April 15, 2015 the PCI Security Standards Council published PCI DSS Version 3.1. This version introduces requirements to address vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol and early versions of the Transport Layer Security (TLS) encryption protocol that can put payment data at risk. Effective immediately, all versions of SSL and early versions of TLS are no longer considered strong cryptography.
The key requirement changes are:
- Effective immediately new implementations must use an alternative to SSL and early TLS (versions lower than 1.2).
- SSL and early TLS are not considered strong cryptography and not allowed as a security control after June 30, 2016. Existing implementations must complete an encryption protocol migration by this date.
As a result of these changes, any merchant who has implemented a customized ecommerce site or payment application must start planning to comply with the new requirements. In addition, any merchant who has implemented a third party vendor payment solution should contact the vendor to confirm a solution to meet the new requirements.