The Payment Card Industry (PCI) Security Standards Council has released a bulletin on impending revisions to version 3.0 Payment Application Data Security Standards (PA-DSS) and version 3.0 of the PCI Data Security Standard (PCI-DSS), which we reported on in January 2014.
To ensure the continued protection of consumers’ payment data, the PCI Security Standards Council has changes that align with National Institute of Standards and Technology’s findings that Secure Socket Layers (SSL) v3.0 is no longer adequate because of inherent weaknesses within the protocol.
The findings mean that no version of SSL meets PCI Security Standards Council’s definition of “strong cryptography”. As a result, new revised standards PCI-DSS v3.1 and PA-DSS v3.1 will be published to reflect the findings.
The bulletin states that these revised standards will be “effective immediately, but impacted requirements will be future dated to allow organisations to implement the changes”. In the interim, organisations are encouraged to find out whether they are using SSL and, if so, to upgrade to a “strong cryptographic protocol as soon as possible”.
These impending revisions should help organisations in protecting their data and dealing with processing payment card information.