thePCI Portal

Category: V3.1

TLS, SSL and PCI – The links

I got tired of hunting these down regularly.  Here are the official TLS and SSL reference links in one spot: SSL/Early TLS: Working with an ASV on Failed Scans http://blog.pcisecuritystandards.org/working-with-an-asv-on-failed-scans INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.0 Date: April 2015 Author: PCI Security Standards Council – Includes: Preparing a Risk Mitigation and…

PCI DSS 3.2

Have you read the PCI Security Standards Council blog post with a version 3.2 Q&A with Chief Technology Officer Troy Leach yet? Some of the highlights include: What’s in 3.2? evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers;…

PCI DSS Version 3.0 Retired

PCI DSS Version 3.0 is now retired (June 30 2015)!  Version 3.1 has been effective since April 2015. And this date marks the beginning of the one year countdown for use of SSL and early TLS as a security control (June 30, 2016).  New implementations must not use SSL or early TLS.  For the next…

PA-DSS updated to version 3.1 – SSL to TLS

PA-DSS has been updated to version 3.1.  Read the council’s announcement here.   This brings the PA-DSS in line with the PCI-DSS in terms of both version numbers and the update on “strong” encryption protocols.   I.e:  TLS 1.2 only please. And if you have read the council’s guidance on TLS migration that was published back in…

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario: Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…

Does an SAQ-A merchant need ASV scans?

If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? The Merchant must always comply with their Acquirer’s direction. V3.1 of the SAQ A does not include requirement 11.2.2  Only SAQ A-EP,…