Did you know, PCI DSS Regulations are changing and are due to be in effect as early as June 30th, 2016? After uncovering numerous exploits into the technology, POODLE and Heartbleed for example, the PCI DSS council has dropped SSL (Secure Sockets Layer) from the list of strong cryptography approaches (i.e. encryption) back in early 2015. While initial timelines stated that companies had only a single year to get their security approach in order, revised timelines have extended this complete migration deadline to 2018. The exception is all processing and third party entities, which must provide TLS 1.1 or greater into their offerings by June 2016. As PCI DSS 3.1 takes effect June 30, 2016, Technology Executives like Tim Brown of Dell, argue that these compliance regulations provide the jumping off point for achieving a higher level of security across channels. But, with the initial deadline quickly approaching, what should organizations do to ensure continuing compliance with PCI and information security?
Key points to consider for PCI compliance review:
- Identify all system components and data flows relying on and/or supporting the vulnerable protocols, including third party provider connections
- Identify the business and/or the technical need for using the vulnerable protocol for each system component or data flow
- Schedule vendor reviews when necessary to get definitive understanding of risks on their systems and define migration timelines to secure technology
- Develop risk mitigation plans where and when third party providers cannot meet PCI timelines and fall out of compliance, jeopardizing business operations
- Remove or disable, immediately, all instances of vulnerable protocols that do not have a supporting business or technical need
- Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented
- Document a migration project plan outlining steps and timeframes for updates
- Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment
- Perform migrations and follow change control procedures to ensure system updates are tested and authorized
- Update system configuration standards as migrations to new protocols are completed
- Build a communications element into migration planning. Consider how much leg work it will take to get agreement on changing.
Are your specific requirements in line with Retarus’ certifications? Click here to learn more.