Home > Security > The countdown is on to PCI 3.1 compliance
The countdown is on to PCI 3.1 compliance

The countdown is on to PCI 3.1 compliance

Earlier this year, the PCI Security Standards Council released the PCI DSS 3.1 standard and many businesses already are scurrying to meet its demands, including retiring Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS). All of SSL and early TLS have been deemed vulnerable and therefore must be eliminated from your network. For organizations with custom Web sites or custom applications that utilize these older standards, this could be quite an undertaking.

While some businesses might be able to simply check a box to use newer code, others might have to modify affected applications. For instance, if a business uses SSL VPNs and has client agents deployed on remote laptops and mobile devices, they will need to upgrade to an acceptable version of TLS. The more devices deployed, the more a business needs a sound strategy to ensure compliance.

2014-12-15_22-42-19PCI DSS 3.1 has made it clear that merchants cannot roll out new applications with SSL or older TLS. However, if you have legacy Web sites or applications, the time is now to start to meet the June 30, 2016, deadline.

The key is identifying if you have this problem and how deep into the enterprise it extends. To hasten this part of the process, a third party can perform an assessment to uncover where SSL and early TLS exist on the network. Earthlink’s professional services staff can perform a vulnerability scan and share the findings through a comprehensive report and consultation. Businesses can use this report to begin to work with third-party vendors to close the identified gaps. Without a vulnerability scan, third-party vendors would have to waste time with testing and playing around in the environment to find insecurities.

For instance, if an application is hosted in the cloud and relies on SSL, businesses can work with the provider to home in on problematic areas and to understand how the software will react to new code.

In essence, Earthlink can help shortcut what a business and vendor will have to address to ensure compliance by the mandate’s deadline, providing cost and competitive advantages.

Interestingly, Earthlink is under the same demands and must assess our networks in the same way. We’ll be sharing what we learn with our professional services team, ensuring that customers get the best insight for PCI 3.1 compliance.

Have you gotten the ball rolling for PCI 3.1 yet? Let us know in the comments below.

About TJ Kulpa

TJ Kulpa
TJ Kulpa joined Earthlink in November of 2013 as Director of ITS Services. He has been in the telecommunications industry for over 20 years with experience ranging from Technical Sales Support, Director of Network Operations, and most recently before his role at Earthlink, Director of Product Development and Management for Data and Security Services. He has led teams developing successful data and security products with advanced features to meet the demand of the ever changing landscape. TJ was recruited by Earthlink in Q4 2013 to manage the company’s Cloud and Security services initiative and to take the product set to the next level. With focus on the security product set, TJ continues to evolve the security solutions to address the ever-growing threats that face companies today by adding features and functionality to the core product set. With recent releases to the current Data Center Firewall product and PCI Compliant Solutions, it is his passion to assist customers in understanding how critical it is have a security solution in place that prevents a company’s critical data and transactions from ever being compromised 24x7x365.