PCI SSC: Bulletin on Migrating from SSL and Early TLS

Download the Bulletin. Key points and deadlines:

  • All processing and third party entities ? including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016
  • Consistent with the existing language in the DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater
  • All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018
  • The use of SSL/TLS 1.0 within a POI terminal that can be verified as not being susceptible to all known exploits for SSL and early TLS, with no demonstrative risk can be used beyond June 2018 consistent with the existing language in the DSS v3.1 for such an exception

Jake Eliasz

Jake is a Chartered Lead Security Consultant with over 15 years' experience in Information Technology. Jake has performed many consultative engagements for retail, banking and government sectors in the EMEA region. Jake is currently focused on designing security controls, PCI DSS, PA DSS, ethical hacking and security risk/compliance. Prior to working for NCC Group, Jake worked as a Lead Security Consultant - QSA (Ambersail), Security Specialist (CreditCall) and Security Analyst (Symantec), where he was designing, implementing and managing various security controls for large, distributed networks. Jake has graduated from the University of Plymouth with the MSc degree in Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.