The Payment Card Industry (PCI) Security Standards Council (SSC) requires merchants and service providers to use industry standards and best practices for strong cryptography and secure protocols.
With recent vulnerabilities discovered in SSL and TLS, along with vulnerabilities in RC4, the PCI SSC has raised the lower boundary for strong cryptography. With PCI DSS v3.1, it has removed SSL and early TLS from new implementations and existing implementations must remove them by 30 June 2016. For Point of Sales/Point of Interaction (POS/POI) devices and their SSL/TLS endpoints, this can be done as long as they can be verified as not being susceptible to SSL/TLS exploits. For existing implementations using SSL and early TLS, there must be a formal risk mitigation and migration plan in place. The PCI SSC has published guidance on migrating from SSL and early TLS.
In a newly published paper called Encryption for PCI DSS v3.1, I provide some background around the cryptography issues, and explain how encryption is incorporated with the Standard and how it can be audited.
This paper should help those implementing the PCI DSS v3.1 requirements and those conducting audits to ensure an organisation is compliant.