Frequently Asked Question

How should entities apply the new SSL/TLS migration dates to Requirements 2.2.3, 2.3 and 4.1 for PCI DSS v3.1?

This FAQ is intended for entities migrating from SSL/early TLS.

In December 2015, PCI SSC announced that the deadline for migrating away from SSL/early TLS has been extended from June 30, 2016 (as published in PCI DSS 3.1), to June 30, 2018. This change will be included in the next version of PCI DSS, which is expected in 2016.

In the meantime, entities validating to PCI DSS v3.1 can use the following guidance when assessing Requirements 2.2.3, 2.3 and 4.1:

As is currently the case, entities with a Risk Mitigation and Migration Plan that includes a completion date no later than June 30, 2016 (and that meets all other Risk Mitigation and Migration Plan content requirements) are considered to be "in place" for that particular requirement.*
Entities with a target migration date that falls between June 30, 2016 and June 30, 2018 are considered as being 'in place with a compensating control', with the PCI SSC announcement providing justification for the migration timeframe.
Entities with a target migration date that is later than June 30, 2018 are considered to be "not in place" for these requirements.

* Note: All applicable elements of a requirement or sub-requirement must be met in order for it to be considered 'in place'. This guidance addresses only the target migration dates within an entity's Risk Mitigation and Migration Plan, and does not preclude the need to meet other requirements and sub-requirements.

For details about how to document the above in a ROC or SAQ for PCI DSS v3.1, refer to How should entities complete their ROC or SAQ for PCI DSS v3.1 using the new SSL/TLS migration dates?

January 2016

Article Number: 1372

Frequently Asked Question