Truvantis Blog

A Summary of Deadlines in PCI 3.2

Everybody - Immediately

  • Existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place
  • New implementations must not use SSL and/or early TLS
June 30, 2016 - Service Providers
  • Service Providers must have a secure TLS option (i.e. TLS 1.1 with its insecure ciphers disabled, or TLS 1.2) available for their customers. They may continue to offer SSL and/or early TLS as well until July 1, 2018 if they wish

February 1, 2018 - Everybody

  • Deploy mMulti-factor authentication for all personnel with non-console administrative access to the CDE – remote or otherwise
  • Change control processes must include verification that all applicable PCI DSS requirements impacted by a significant change have been implemented

February 1, 2018 - Service Providers

  • Maintain a documented description of the cryptographic architecture used to protect cardholder data
  • Ensure timely detection, reporting and response to failures of critical security control systems
  • Perform penetration testing on segmentation controls at least every six months
  • Executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program
  • Perform and document reviews at least quarterly to confirm personnel are following security policies and operational procedures

July 1, 2018 - Everybody

  • Retire all use of SSL and/or early TLS

The required timing for the switch to TLS from SSL has been delayed until July 2018, though we are encouraging our clients to make this switch as quickly as possible. There are certain exceptions for POS POI terminals – call us for details

The council has created a nice summary of SSL issues and the reason for the requirement to switch here.

If you have questions about these new requirements or need help meeting the implementation deadlines, give us a call at 855.345.6298 to find out more.

Subscribe to Email Updates

Recent Posts

Contact Us