SSLv3 no longer meets the definition of strong encryption
The PCI SSC decided in February 2015 that SSLv3 no longer meets the definition of "strong encryption." This means that once the PCI DSS is updated, organizations can no longer expect to remain compliant if they continue to use SSLv3.
The PCI SSC has decided that TLS 1.2 or greater does equal strong encryption. We are no longer supporting any communication with a lower standard than the TLS 1.2 protocol. Organizations who haven't already begun this transition will need to complete this process immediately to restore communication. Merchants must act now to remove SSLv3, TLS1.0, TLS 1.1 support from all their services and not just those that are in scope for PCI compliance.
On April 14, 2015, the PCI SSC has announced that the PCI DSS 3.1 update will be published and effective April 15, 2015. This update makes the following summary clarifications about the use of SSLv3 and TLS 1.0 in PCI relevant environments:
- New implementations must use alternatives to SSL and early TLS.
- Organizations with existing implementations of SSL and early TLS must have a risk mitigation and migration plan in place.
- Prior to June 30, 2016, Approved Scanning Vendors (ASVs) may document receipt of an organizations risk mitigation and migration plan as an exception in the ASV Scan Report (in accordance with the ASV Program Guide).
- Point of Sale (POS) or Point of Interaction (POI) devices that can be verified as not being susceptible to all known exploits of SSL and early TLS may continue to use these protocols as a security control after June 30, 2016.