2

I'm new to security in a variety of ways. We have a PCI audit coming up soon. We've put together a risk mitigation/migration plan for TLS 1.0 and have submitted it to the auditors.

My boss is focusing right now on addressing various TLS 1.0 sources. He calls it an "easy win", to get some of the low-hanging fruit out of the way. If we have any larger issues, then getting some of these easy wins will lower our score elsewhere.

But, we filed a mitigation/migration plan. That's all the PCI-DSS 3.1 calls for, it doesn't call for immediate remediation.

It's almost certainly me misunderstanding something. What am I missing?

XtinaS
  • 33
  • 3

2 Answers2

1

TLS 1.0 (and 1.1 in some configurations) are not considered to be secure and thus PCI compliant. Currently PCI allows the creation of a mediation plan that will have everything resolved by June 30, 2016. This is due for some browsers (IE) not having TLS 1.1 on by default.

FordPre
  • 21
  • 3
0

What you are talking about are the notes regarding SSL/TLS on several requirements, such as 2.2.3 in PCI DSS v3.1:

Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

This ties into the risk assessment process in 12.2:

12.2 Implement a risk-assessment process that:

  • Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
  • Identifies critical assets, threats, and vulnerabilities, and
  • Results in a formal, documented analysis of risk.

See this guidance for what early TLS and SSL means. In a nutshell you want all SSL/TLS communications to be on TLS 1.1 and above.

I don't know what you're referring to with "lowering your score", however your mitigation plan must have something in place to say how you are getting rid of TLS 1.0 and earlier before July 2016. After this date you must not be using TLS 1.0 and earlier at all, therefore any audits that take place after this date will fail if you are. You are correct, there is no immediate requirement to have these protocols disabled - just so long as the plan is there.

Disclaimer: I'm not a QSA, nor your QSA

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178