PA-DSS Compliance Rules Revised to Ditch SSL #Crypto #PA-DSS #PCI-DSS

The PCI Security Standards Council published revisions to the Payment Application Data Security Standard (PA-DSS) this week to address concerns over the Secure Sockets Layer (SSL) protocol.

From the 1st of June 2015, the update aligns the technical standard with the latest version of the Payment Card Industry Data Security Standard (PCI-DSS), which was revised recently due to concerns over SSL security. According to the PCI Security Standards Council (PCI SSC), organisations need to understand if and how their payment applications are using SSL and upgrade to a secure version of Transport Layer Security (TLS). Under the new rules, upgrading payment applications and systems to TLS 1.1 at a minimum is the only way to properly address recent SSL vulnerabilities such as POODLE and BEAST.

The revisions also includes other minor modifications to improve clarity based on stakeholder feedback.

There is a transition period for applications currently undergoing PA-DSS 3.0 validations, according to the council. New application submissions to PA-DSS 3.0 will be accepted until 31st of August 2015, and applications being validated against PA-DSS 3.0 that are “in queue” at deadline will have until the 30th of November 2015 to complete the validation process. The expiry date for payment application listings validated to PA-DSS 3.1 is 28th October 2019.