The out-of-band release of Qualys PCI Compliance that adds support for PCI DSS 3.1 is out! The primary intention of this release is to address SSL and TLS encryption issues that have evolved recently. Effective immediately merchants are prohibited from implementing new technologies that rely on SSL or early TLS. SSL and early TLS cannot be used in any way as standalone security control after June 30, 2016. So basically merchants have about 14 months to remove SSL and early TLS from their environments. ‘Early TLS’ is TLS version 1.0 and in some cases 1.1 depending on where it’s used and how it’s implemented.
With this new release of Qualys PCI Compliance, Qualys QID 38606 will detect the presence of SSL v3 on affected systems and will start failing PCI compliance scans after June 30, 2016, as previously announced. Additionally, Qualys has revised the solution sections of SSL/TLS-related vulnerabilities to suggest solutions where TLS v1.1+ is preferred.
In prior scan reports, it is already possible to identify the existence of SSL v2 through QID 38139, and it’s possible to identify the existence of SSL v3 from a combination of different QIDs. But having this new single QID to identify SSL v3 simplifies identification for administrators and increases their visibility into SSL versions in their systems.
PCI DSS 3.1 Changes
The following sections from PCI DSS 3.1 were changed:
This section outlines that effective immediately for new implementations SSL or early TLS should not be used. SSL and/or early TLS must not be introduced into environments where they don’t already exist.
For existing implementations, SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.
All non-console administrative access should be encrypted. For web-based management and other non-console administrative access use SSH, VPN or later versions of TLS.
Transmission of cardholder data should be safeguarded with later versions of TLS, IPSEC, SSH or similar. And that SSL/early TLS will not be considered as strong cryptography after June 30, 2016.