Based on some of the questions I have received since my post on v3.2, apparently a lot of people missed this little point in my last post about the Council’s Webinar.
“The final key point on this topic that the Council could not stress enough was, just because the deadline has been pushed out was no justification for an organization to wait until the last minute before addressing these critical vulnerabilities. If an organization can meet the June 30, 2016 deadline, then they should meet that deadline. If they need until December 31, 2016 to convert, then they need to mitigate the risk until December 31, 2016 when they can drop SSL and early TLS. But waiting for the sake of waiting because the deadline is in 2018 is unacceptable and needs to be called out as ‘Not In Place’ by QSAs.”
For all of you in denial out there, make sure you truly read that last sentence.
Yes folks. Your QSA can mark you as non-compliant if your organization does not have a very, very, very good and legitimate documented business reason for not meeting the June 30, 2016 deadline for getting rid of SSL and early TLS.
Want to argue that point? Fine. Then you can expect your QSA to put you in arbitration with your acquiring bank on this subject. If your acquiring bank is willing to sign off on your lame delay, then so be it. But if your bank denies your request, then expect to be put into remediation by your bank and possibly even be fined for your arrogance.
And one more thing we have since clarified. If you can meet the June 30, 2016 deadline, then you only need mitigation and migration plans for your QSA. If you are not going to meet the 2016 deadline, then in addition to the plans your organization will also need to provide a compensating control worksheet (CCW) for 4.1. Even if you are filing your Report On Compliance (ROC) before June 30, 2016, you still need to provide your QSA with the plans and the CCW if you will miss the 2016 deadline.
So for all of you out there that thought you had dodged a bullet, there is another bullet with your name on it. You have been warned.
PCI Guru 