The Payment Card Industry Security Standards Council (PCI SSC) has announced that no version of secure sockets layer (SSL) technology meets its definition of "strong cryptography." Accordingly, it will need to revise its Data Security Standard and Payment Application Data Security Standards.
According to a PCI press release, the announcement was based on finding by the National Institute of Standards and Technology that the Secure Socket Layers v3.0 protocol is no longer acceptable for protection of data due to inherent weaknesses within the protocol.
With no known way to remediate vulnerabilities in the SSL protocol, the PCI SSC is urging organizations to work with IT departments and partners to determine whether they are using SSL and what options they have for upgrading to a strong cryptographic protocol as soon as possible.
Once published, PCI DSS v3.1 will be effective immediately, however, affected requirements will be future-dated to allow organizations time to implement the changes.