PCI Data Security Standard v3.2


PCI Data Security Standard v3.2

Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS#

SSL and early TLS SHOULD NOT be used as a security control to meet these requirements. To support entities working to migrate away from SSL/early TLS, the following provisions are included:

  • New implementations must not use SSL or early TLS as a security control.
  • All service providers must provide a secure service offering by June 30, 2016.
  • After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol (an allowance for certain POS POI terminals is described in the last bullet below).
  • Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
  • POS Terminal POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS, may continue using these as a security control after June 30, 2018.

More Information#

There might be more information for this subject on one of the following: