Overview#
PCI Data Security Standard v3.2Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS#
SSL and early TLS SHOULD NOT be used as a security control to meet these requirements. To support entities working to migrate away from SSL/early TLS, the following provisions are included:
- New implementations must not use SSL or early TLS as a security control.
- All service providers must provide a secure service offering by June 30, 2016.
- After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol (an allowance for certain POS POI terminals is described in the last bullet below).
- Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
- POS Terminal POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS, may continue using these as a security control after June 30, 2018.
