This out-of-band release includes minor clarifications and updates, but is primarily intended to address high-risk vulnerabilities within the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols that can put payment data at risk. Troy Leach, the SSC's chief technology officer, said as is the case with any change to a PCI standard, the council worked closely with industry stakeholders to determine the best transition timeframe. Within that information supplement -- a copy of the supplement was provided to SearchSecurity -- is detailed guidance and examples of information to be documented in the formal risk mitigation and migration plan.


Leach said one of the reasons PCI DSS 3.1 calls for a formal risk mitigation and migration plan is to encourage merchants and others that haven't yet addressed the SSL and early TLS security issues to be aware of the risk and start addressing the problem sooner rather than later.
Litan said while the guidelines give merchants more choices for how to mitigate the risk, they won't mean less work in doing so. Litan, however, doubted whether the SSC's decision was purely risk-based, suggesting that the point-of-sale vendors' ability to rework their products before June of 2016 was also a factor.


Editor's note: This article was updated on April 16, 2015, with additional comments from the PCI Security Standards Council.



Sample hospital disaster preparedness plan
What to do during a tornado at school
Information about hurricanes


Comments

  1. 05.05.2014 at 21:23:22


    Abruptly and tend to have an effect.

    Author: Bratan
  2. 05.05.2014 at 11:15:39


    Take the rail trail most of the way, or hoof now is the.

    Author: BUTTMEN