Effective immediately the new version 3.1 of PCI DSS is available. In addition to clarifications the most important topic is the banning of SSL v3 and TLS v1.0 protocols. Existing implementations must be replaced no later than June 30, 2016. These updated requirements in the new version of the standard address the weaknesses and vulnerabilities recently identified in the current SSL and early TLS protocols. Additionally several clarifications and adaption were added, such as separate test procedures in case of hashed or masked PAN in the same cardholder data environment.

Changes were made to the requirements 2.2.3, 2.3, 4.1 and 4.1.1 to address the fact that SSL v3 and TLS v1.0 are not considered to be “strong cryptography” anymore. POS devices may continue to use SSLv3/TLS v1.0 after the sunset date of June 30, 2016 if evidence can be provided that they are not vulnerable to these known weaknesses, this. In general we strongly recommend a migration to a current TLS version. For e-commerce systems a migration is also necessary to align with the new requirements. In conjunction with this new version all ASVs were informed that SSL v3/TLS v1.0 is acceptable till June 30, 2016 if the scanned entity provides a risk mitigation plan and a migration plan.

Mid of April 2015 the PCI council published a new supplemental detailing the carrying out of internal and external penetration tests according requirements 11.3 of the PCI DSS standard. The supplemental now describe detailed demands for a PCI DSS aligned penetration test.

Also in March 2015 the PCI Council published a new supplemental with information about tokenization solutions.