The February 1, 2018 new requirements date for PCI DSS 3.2 has come and gone. The February 1 deadline included requirements for all organizations covering change management processes to confirm that affected PCI DSS requirements are in place after significant change (Requirement 6.4.6) and multi-factor authentication for all non-console administrative access (Requirement 8.3.1).
Service providers have five additional requirements:
- Maintain a documented description of the cryptographic architecture (Requirement 3.5.1)
- Detect and respond to failures of critical security control systems (Requirements 10.8, 10.8.1)
- Perform penetration testing on segmentation controls at least every six months (Requirement 184.108.40.206)
- Establish a formal PCI DSS compliance program (Requirement 12.4.1)
- Perform reviews at least quarterly to ensure security policies and procedures are followed (Requirements 12.11, 12.11.1)
In addition to the February 1 deadline, the June 30, 2018 deadline has also passed. The June 30 deadline covers migration from Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) to a more secure TLS v1.2 or higher and disabling any fallback to SSL and early versions of TLS. The weaknesses in these protocols is significant. The recent exploits for SSL and early TLS include high profile breaches resulting from POODLE, Heartbleed, and Freak. There are no patches or fixes available that can mitigate vulnerabilities in SSL or early TLS. All organizations must update to the latest TLS version immediately, with TLS version 1.2 being the current recommended version.
A Generalized Migration Plan’s Key Points:
- Identify all system components and data flows relying on and/or supporting the vulnerable protocols and for each system component or data flow, identify the business and/or technical need for using the vulnerable protocol.
- Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need.
- Document a migration project plan outlining steps and timeframes for updates and implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment.
- Perform migrations and follow change control procedures to ensure system updates are tested and authorized.
- Update system configuration standards as migrations to new protocols are completed.
The only exception to this June 30, 2018 deadline is Point-of-Interaction (POI) terminals that can be verified as not being susceptible to all known SSL and TLS exploits. Business owners should check with the terminal manufacturer for migration, update, upgrade, or verification instructions. We recommend working with a Qualified Security Assessor (QSA) for addressing these requirements in your unique environment.
PCI DSS security requirements are in a constant state of flux. To stay current on these changes and how to maintain compliance, regularly check this blog and contact us for more information. True Digital Security is a Qualified Security Assessor (QSA) Company and can assist in developing a risk mitigation and migration plan for your business.