These PCI DSS Changes Took Place On June 30th. Are You Ready For Them?

For anyone who has a businesses that regularly uses POI and POS the new PCI SSC guidelines for TLSare of massive importance.

Are you prepared for them?

New PCI SSC Guidance For SSL/TLS

The PCI SSC (Payment Card Industry Security Standards Council) has taken their old set of guidelines, Migrating from SSL/Early TLS Information Supplement, and replaced it with two new sets.

This was done because of the new guidelines, PCI DSS V3.2.1 and the passing of various official deadlines for how systems are managed include June 30, 2018, the deadline for Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration.

The first new guide, Information Supplement: Use of SSL/Early TLS and Impact on ASV Scans explains the impact for PCI DSS and ASV scans to retailers and service providers, and information for those using early SSL/TLS after the June 30,2018 deadline.

The second new guide, Information Supplement: Use of SSL/Early TLS for POS POI Terminal Connections is more information for retailers and service providers using those tame systems that incorporate card-present POS POI terminal connections.

These guidelines also define terms like “early systems”, while providing in depth requirements for the new technology.

Why Is The PCI SSC Publishing This?

As we stated above, the June 30 milestone is a tremendously important one.

Beginning July 1, SSL and Early TLS may not be valid as security controls for PCI DSS, except by POS POI terminals that have been verified as not being susceptible to verified exploits.

In May 2018, PCI DSS was updated to v3.2.1, with new security requirements.

What Merchants Need To Know

If you're a merchant, you'll need to check how old your TLS systems are and make sure they comply with new security standards.

To find out whether they are, you can get in touch with your POS/POI supplier, or call us at 1st Secure IT.

It's worth noting that any new installs of POI and POS terminals cannot use SSL or early TLS, so if you've just set up your POS systems with a new product you're likely okay.

If any new vulnerabilities emerge that affect POI terminals and that can't be addressed by a software patch or updated controls, you'll need to immediately update them.

If you use SSL or early TLS for purposes other than as allowed for your POS POI terminal connection, note that your systems are out of date. You'll need to update your controls to minimize any risks and remain PCI DSS compliant.

Contact us here at 1st Secure IT if you need help with this.

If you're using SSL/early TLS but have other security protocols in place to meet a PCI DSS requirement, however, you can maintain your current protocols.

But you really should update to a modern encryption protocol as soon as possible, as SSL and early TLS have a number of vulnerabilities in them these days.

On top of that, having SSL or early TLS in a system can often result in ASV scan failures.

Either way, contact us here at 1st Secure IT and we'll help you find out whether you're still compliant.

What Acquiring Banks Need To Know

If you're an acquiring bank that provides termination points for POS and POI terminal connections, you should follow the same advice listed above.

You should also be ready to help your merchants and retailers to ensure their systems are in compliance and secure against threats.

After all, if your merchants are found to be noncompliant, you could be liable for a fine as well.

If you require your merchants and retailers to provide you with ASV Scan Reports as part of their compliance reporting, be sure to familiarize yourself with how to handle false positives triggered by older technology protocols.

Contact 1st Secure IT

Did all that make your head spin?

If so, you're not the only one.

The world of PCI DSS compliance can be overwhelming even if you already specialize in IT.

But you don't have to go through it alone.

At 1st Secure IT, we're here for you.

We'll take you by the hand and walk you through every step you need to take in order to make sure you remain PCI DSS compliant.

Whether you're a merchant, an acquirer, or a service provider, we've got your back.

Call us at 866-735-3369 or email us at, and keep your business safe and secure in an uncertain digital world.

1st Secure IT

4613 N. University Drive #323
Coral Springs Florida
(866) 735-3369

Cyber Security Risk Management and Consulting Services | 1st Secure IT | When Compliance Is Not Enough

Phishing Vs. Spoofing: What's The Difference?
How Small Businesses Can Protect Themselves From H...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 19 August 2019

If you need help getting started... Contact Us!