PCI Compliance Update – New PCI Data Security Standard Version 3.1

Posted on Monday, April 27th, 2015

The new version 3.1 of the PCI Data Security Standard (“PCI DSS”) is now available and provides clarifications and guidance on a number of PCI DSS requirements. For example, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are no longer considered strong cryptography and cannot be used for new implementations and cannot be used as a security control after June 30, 2016 (the “Deadline”), subject to a limited exception. And if you continue an existing use of these legacy SSL and TLS encryption methods, PCI DSS v3.1 requires that companies have a formal Risk Mitigation and Migration Plan in place. Is your E-commerce site using one of these legacy encryption tools? If so, you may need to start planning your update now (and make sure your company’s vendors are using the proper and more secure protocols).

There are a number of the other published changes in PCI DSS v3.1 which are new requirements or become requirements after June 30, 2015. Most of these other changes are designed to clarify existing PCI DSS language. Assuming you agree to be bound by the terms of the agreement provided by the PCI Security Standards Council, you can access PCI DSS v3.1 and a summary of changes between PCI DSS v.3.0 and PCI DSS v3.1 here. The PCI Council also provided an overview webinar on this topic which can be found here.