Qualys Blog

www.qualys.com
Frank Catucci

PCI DSS v3.2 & Migrating from SSL and Early TLS v1.1

SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0”\ will be marked as a Fail for PCI as of May 1, 2017 in accordance with the PCI DSS v3.2.  For existing implementations, merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation & Migration Plan, which will result in a pass for PCI until June 30, 2018.

PCI DSS v3.2 specifies that wherever SSL / Early TLS are used, Appendix A2 must be completed.  Appendix A2 details the required elements of the Risk Migration & Mitigation Plan, as well as migration dates for SSL/Early TLS:

  • Cannot be used for new implementations;
  • Cannot be used for existing implementations after June 30, 2018;
  • Prior to June 30, 2018 existing implementations must have a Risk Mitigation & Migration Plan.

A new version of the Information Supplement Migrating from SSL and Early TLS v1.1 has also been published, which states the following:

“Prior to June 30, 2018: Entities that have not completed their migration should provide the ASV with documented confirmation that they have implemented a Risk Mitigation and Migration Plan and are working to complete their migration by the required date. Receipt of this confirmation should be documented by the ASV as an exception under ‘Exceptions, False Positives, or Compensating Controls’ in the ASV Scan Report Executive Summary, and the ASV may issue a result of ‘Pass’ for that scan component or host, if the host meets all applicable scan requirements.

Documents are available in the PCI Council Document Library.

4 responses to “PCI DSS v3.2 & Migrating from SSL and Early TLS v1.1”

  1. From text in this post and from links provided it is little bit confusing what exactly “Early TLS” is? Is it only TLS v1.0 and if it is why use confusing words “early TLS” and not explicitly define which versions.

    • Hello dunkan,

      Per Official PCI Security Standards Council Site, pcisecuritystandards.org, “The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at the time of publication is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2. Note that not all implementations of TLS v1.1 are considered secure. Please refer to NIST SP 800-52 rev. 1 for guidance on secure TLS configurations.”

      Regards,

      Frank

  2. Of course our servers support TLS1.1, TLS1.2, but we can not decide which version of protocol is used by user. We notice that TLS1.0 is still widely used(up to 20%), if we do shut it down after June 30, 2018, it will surely results that many of clients can not connect our website unless they upgrade their browser. We can not force our clients to upgrade their browsers,this is the tough problem.

Leave a Reply