Friday, December 29, 2017

PCI DSS 3.2 implementation date draws near - are you ready?

As all retailers know, becoming and staying compliant with Payment Card Industry (PCI) Data Security Standards (DSS) is a big job. PCI is THE ecommerce security standard and in order to accept payment with Visa, MasterCard, American Express, Discover and others, you must comply with their security standards.

The latest version of these standards, PCI DSS 3.2, were released back in April 2016 and had two specific requirements for changes to communication protocols, SSL v3 and TLS 1.0, both of which are to be removed by June 30, 2018.

As 2017 draws to a close, there are two dates in 2018 that are very important if your employer is subject to PCI DSS standards. The first is February 1, 2018 and the second is June 30, 2018.

Until January 31, 2018, the requirements introduced in PCI DSS 3.2 are considered best practices. Starting February 1, 2018 they are effective as requirements and must be used.

After June 30, 2018, all entities must have stopped the use of SSL/early TLS as a security control and use only secure versions of the protocol. This means you can no longer use any version of SSL and can only use TLS v1.1/1.2. Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Failure to meet these dates and requirements could cause your organization to fail audits and be subject to fees and penalties. The article below is dated, but provides a good overview of  the consequences of failing a PCI audit:

7 Critical Consequences Of Failing PCI Compliance - Forbes

If you're interested in learning more about PCI-DSS 3.2, you can review this document or research additional information on the PCI Security Standards Council site and the PCI Compliance Guide site: