Following the release of PCI DSS v3.2.1 to account for dates that have already passed, such as the 30 June 2018 Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration date, PCI SSC has published updated guidance on the use of SSL/Early TLS. In this interview with PCI SSC Senior Director of Data Security Standards Emma Sutcliffe we talk about why this guidance is necessary, and how organizations can use it.

Tell us about the new PCI SSC guidance on the use of SSL/early TLS?

Emma Sutcliffe: To help entities find the guidance they are most interested in, we took the Migrating from SSL/Early TLS Information Supplement (published in April 2016) and from that created two new guidance documents, each containing updated content as well as new and expanded guidance. The two new documents are:

Information Supplement: Use of SSL/Early TLS and Impact on ASV Scans : Provides guidance for merchants and service providers using SSL/early TLS after June 30, 2018, and its impact on PCI DSS and ASV scans.

: Provides guidance for merchants and service providers using SSL/early TLS after June 30, 2018, and its impact on PCI DSS and ASV scans. Information Supplement: Use of SSL/Early TLS for POS POI Terminal Connections: Additional guidance specifically for merchants and service providers using SSL/early TLS for card-present POS POI terminal connections after June 30, 2018.

The new guidance includes clarification of the term “early TLS” and more detailed guidance on how to address the presence of SSL/early TLS in ASV scan results. The Information Supplement: Use of SSL/Early TLS for POS POI Terminal Connections also provides guidance on how the requirements in PCI DSS v3.2.1 Appendix A2 apply to environments supporting POS POI terminals and their service provider connection points.

The new documents will replace the April 2016 Information Supplement, which will be archived on 1 July 2018.

Why is PCI SSC publishing this guidance?

Emma Sutcliffe: The 30 June 2018 deadline is a very important milestone. After this date, SSL and Early TLS may no longer be used as a security control for PCI DSS, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect, as defined in PCI DSS Appendix A2.

Last month (May 2018), PCI DSS was updated to v3.2.1, to reflect how the security requirements apply after the migration deadline has passed. This new guidance aligns with PCI DSS v3.2.1 and addresses usage of SSL/early TLS after the migration deadline.

What is important for merchants to understand from this guidance?

Emma Sutcliffe: It’s important for merchants to understand the issues around the continued use of SSL/early TLS. The guidance reinforces that after 30 June 2018 SSL and early TLS cannot be used as a security control for PCI DSS, except as allowed in Appendix A2 for POS POI terminals.

Merchants with POS POI terminals that use SSL/early TLS are encouraged to contact their terminal provider or acquirer to determine if their POS POI terminals are affected by the SSL/early TLS vulnerabilities. Merchants should be aware that new POS POI terminal implementations must not use SSL/early TLS. Additionally, if new exploits are introduced that affect POI terminals and that cannot be addressed by a patch or compensating controls, the POI terminals will need to be updated immediately.

For merchants using SSL/early TLS other than as allowed for POS POI terminal connections:

If SSL/early TLS is being used as a security control for PCI DSS after the 30 June deadline, ensure compensating controls are implemented to mitigate the risk associated with its use and take the necessary steps to migrate to a secure alternative as soon as possible.

If SSL/early TLS is present but not being used as a security control to meet a PCI DSS requirement, these protocols may remain in use. However, it is strongly recommended that they be migrated to a more modern encryption protocol as soon as possible.

The presence of SSL/early TLS often results in ASV scan failures. Merchants using SSL/early TLS that have implemented compensating controls or can confirm it is not being used as a security control or are using it only for POS POI connections as allowed in Appendix A2, can work with their ASV and follow the defined processes to potentially address these scan failures.

How does the guidance advise service providers that are supporting merchants?

Emma Sutcliffe: Service providers using SSL/early TLS to support POS POI terminal connections should ensure they have a Risk Mitigation and Migration Plan in place and are offering a secure connection option to all their customers. As part of the Risk Mitigation and Migration Plan, the service provider will need to confirm they have implemented controls to mitigate the risk to their environment and have defined a future date for replacing SSL/early TLS. Service providers should be communicating the risks of using SSL/early TLS, as well as their target date for migrating away from SSL/early TLS, to their merchant customers.

Entities using TLS should understand the intent of “early TLS”. All implementations of TLS will need to be reviewed to determine if they meet the intent of strong cryptography or if they are vulnerable to known exploits. Guidance for service providers on the processes for addressing ASV scan failures is also provided.

Any specific recommendations for acquirers?

Emma Sutcliffe: Acquirers providing termination points for POS POI terminal connections should follow the same guidance as other service providers in this regard. Acquirers should also be ready to assist their merchants in determining whether their POS POI terminals are susceptible to SSL/early TLS vulnerabilities, and ensure merchants are aware that if new exploits arise for which the terminals are susceptible, the terminals will need to be immediately updated.

Acquirers that require merchants to provide ASV Scan Reports as part of their compliance reporting should be familiar with the “Managing False Positives and Other Disputes” and “Addressing Vulnerabilities with Compensating Controls” processes in the ASV Program Guide. Merchants may be following these processes to address the presence of SSL/early TLS in their ASV scans, and this will be reflected in the ASV Scan Report.

The guidance specifically addresses ASV scans and POS POI terminals. What are some of the key takeaways for Approved Scanning Vendors (ASV) and POS POI vendors?

Emma Sutcliffe: ASVs should be aware that SSL/early TLS will continue to be detected in ASV scans after 30 June 2018. This means that ASVs will need to work with their scan customers and follow the applicable processes defined in the ASV Program Guide – i.e. “Managing False Positives and Other Disputes” or “Addressing Vulnerabilities with Compensating Controls” – to help scan customers address scan failures where applicable.

POS POI vendors should provide their customers with information about which of their terminals are susceptible to known SSL/early TLS exploits, and verification of terminals that are not susceptible. Vendors may also be asked to provide information to help merchants and their assessors verify whether a terminal is susceptible.

How does the guidance help QSAs in their efforts to support merchants’ PCI DSS compliance?

Emma Sutcliffe: QSAs should be aware that the presence of SSL/early TLS in an entity’s environment does not automatically result in a finding of “non-compliant” for PCI DSS. SSL/early TLS may continue to be present in and around the CDE as long as it’s not being used as a security control to meet a PCI DSS requirement.

QSAs should understand the intent of “early TLS” and be knowledgeable in TLS implementations and configurations, so they can determine whether an implementation meets the intent of strong cryptography or is vulnerable to known exploits.

For QSAs supporting merchants and service providers using SSL/early TLS for POS POI terminal connections, the guidance addresses how to document this usage in the Report on Compliance (ROC). For other customers using SSL/early TLS for PCI DSS that have implemented compensating controls, the QSA will need to evaluate the compensating control per the process defined in PCI DSS Appendices B and C.