What is a PCI Risk Mitigation and Migration Plan?
A PCI DSS risk mitigation and migration plan is a document prepared by an organization that details its plans for migrating to a secure cryptographic protocol. It also describes the controls the company has in place to reduce the risk associated with Secure Sockets Layer/early Transport Layer Security (SSL/early TLS) until the migration is complete.
The Payment Card Industry Data Security Standard (PCI DSS) is the core set of security requirements with which all entities that store, process, or transmit credit card data must comply. It is made up of twelve requirements and numerous sub-requirements that address everything from network security to information security policies. The PCI Security Standards Council (PCI SSC) is responsible for maintaining and updating the PCI DSS standard. The PCI SSC is a global forum that brings together payment industry stakeholders to develop and increase the adoption of data security standards and resources for safe payments worldwide.
Under the rules of PCI DSS 3.1, SSL and early versions of the TLS protocol were no longer considered acceptable for payment data protection because of “inherent weaknesses” in the protocol. Organizations that process payments were required to migrate to TLS 1.1 encryption or higher by June 30, 2018, to safeguard payment data.
In the PCI SSC Information Supplement “Migrating from SSL and Early TLS v1.1”, the guidance states the following:
- “After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol (an allowance for certain Point of Sale (POS)/Point of Information (POI) terminals is described in the last bullet, below).
- Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
- POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after 30th June 2018.”
In PCI DSS v3.2 and the current version at the time of this writing v3.2.1, Appendix A2 detailed the required elements of the Risk Migration and Mitigation Plan, as well as migration dates for SSL/Early TLS.
What does a PCI DSS risk mitigation and migration plan include?
A PCI DSS risk mitigation and migration plan include:
- A description of how vulnerable protocols are used, including;
- The type of environment where the protocols are used.
- The type of data being transmitted.
- The number and types of systems using and/or supporting the protocols.
- The results of a risk assessment and information about the risk reduction controls that are in place:
- Companies have to evaluate and document the risk to their environments and implement risk reduction controls to help mitigate the risks until they can completely remove the vulnerable protocols.
- A description of the processes that are implemented to monitor for new vulnerabilities associated with vulnerable protocols:
- Organizations have to be proactive and stay informed about new vulnerabilities. As new vulnerabilities are published, companies must evaluate the risks they pose to their environments. They also have to determine if they need to implement any additional risk reduction controls until they’ve completed their migrations.
- Description of change control processes that are implemented to ensure they don’t implement SSL/early TLS into new environments:
- If an entity does not currently use or need to support vulnerable protocols, there is no reason why they should introduce such protocols to their environment. Change controls processes include evaluating the impact of the change to confirm the change does not introduce a new security weakness into the environment.
- Overview of the migration project plan, including the target migration completion date:
- Migration planning documentation that included identifying which systems/environments are being migrated and when, as well as a target date by which the overall migration will be completed. The most recent overall migration had to be completed on or before June 30, 2018.
For additional information, please refer to the Information Supplement from the PCI Security Standards Council, Migrating from SSL, and Early TLS v.1.1.