What Merchants Should Know about PCI SSC’s Data Security Standard 3.1

October 7, 2015 • Published Categories PCI 101, SMB Merchants Tags , , , , ,

Merchants should ensure they are in compliance with PCI SSC’s Data Security Standard version 3.1.

Guest post by Ray Moorman, Mercury Payment Systems.

The PCI Security Standards Council (SSC) released its new Data Security Standard 3.1, which clarifies some points of the standards that went into effect on January 1. The PCI SSC delivers guidelines to merchants for the safe handling and storage of credit card data. Businesses that do not comply with PCI standards are subject to fines, penalties and increased costs. This guide will detail the points of the newest PCI SSC release and what it means for merchants moving forward.

Elimination of all SSL and early TLS
The main tenant of PCI DSS 3.1 is the requirement that merchants should no longer use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 1.0 and 1.1 as a way of securing the communication of credit card data. The first release of Transport Layer Security was in 1999, taking the place of Secure Sockets Layer.  SSL and early TLS were given as examples of safe encryption until October 2014, when certain vulnerabilities were discovered, including exposure to padding attacks that effectively decrypted sensitive cardholder information, according to PCI Compliance Guide. Merchants have until June 30, 2016, to eliminate SSL and TLS 1.0 and 1.1 from their systems and find alternative encryption services. Editor’s Note 12/21/15: The PCI SSC has extended the migration completion date to 30 June 2018 for transitioning to a secure version of TLS. Learn more here.


Specifically, they must be removed from four areas, under the Data Security Standard 3.1:

  1. Encryption for wireless networks that transfer cardholder data.
  2. Encryption for web-based management and other remote, administrative access.
  3. Encryption for virtual private networks (VPNs), file sharing and other insecure services.
  4. Encryption of cardholder data during transmission over public networks.

Merchants can no longer implement new technology that relies on Secure Sockets Layer or early versions of Transport Layer Security. If a merchant’s POS or POI (point of interaction) terminals still use SSL or early TLS, but they can verify they are not susceptible to known exploits for SSL and TLS, then these terminals can continue to be used after June 30, 2016. Merchants that are unfamiliar with their company’s cryptographic software should contact system vendors for clarification.

Additional explanation
Primary account numbers should not be sent via SMS text messaging, in addition to the already discouraged email and instant messaging, etc. PCI guidance 3.1 also provided merchants with extra information concerning typographical errors and description of acronyms, among other small clarifications. Here are some important additions for merchants:

  • Inactive user accounts should be removed within 90 days, instead of every 90 days.
  • A vulnerability scan can utilize manual tools, in addition to automated services, instead of just automated tools.
  • Passwords must be changed once every 90 days, instead of at least every 90 days.
  • Updated language for service providers that clarifies the agreement they have with clients is proof of commitment to maintain the best security of cardholder data.

Data Security Standard 3.0 included some larger changes to SAQs for merchants that addressed problems such as hackers taking over a merchant website and redirecting customers to false payment pages. New questionnaires correlating with the 3.1 clarifications were released in July, 2015, but the 3.0 SAQs can be used until June, 2016.

As the PCI SSC continues to release new guidelines over time, merchants should remain cognizant of how the updates affect their business. Maintaining compliance with these regulations is vital, as nonconformity could result in costly penalties.

Ray Moorman is Director of Product Management at Mercury Payment Systems, a Vantiv company, focused on EMV Solutions for the Integrated Payments channel. He has more than a decade of experience in the payments industry and has served in various positions including operations, acquisition integration, and product. 

Subscribe to this blog for additional tips and webinar announcements.

Leave a Comment