Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections

Overview

This Appendix applies only to entities using SSL/early TLS as a security control to protect POS POI terminals, including service providers that provide connections into POS POI terminals.

Entities using SSL and early TLS for POS POI terminal connections must work toward upgrading to a strong cryptographic protocol as soon as possible. Additionally, SSL and/or early TLS must not be introduced into environments where those protocols don't already exist. At the time of publication, the known vulnerabilities are difficult to exploit in POS POI payment terminals. However, new vulnerabilities could emerge at any time, and it is up to the organization to remain up to date with vulnerability trends and determine whether it is susceptible to any known exploits. The PCI DSS requirements directly affected are:

Requirement 2.2.5: Where any insecure services, protocols, or daemons are present; business justification is documented, and additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
Requirement 2.2.7: All non-console administrative access is encrypted using strong cryptography.
Requirement 4.2.1: Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.

SSL and early TLS must not be used as a security control to meet these requirements, except in the case of POS POI terminal connections, as detailed in this appendix. To support entities working to migrate from SSL/early TLS on POS POI terminals, the following provisions are included:

New POS POI terminal implementations must not use SSL or early TLS as a security control.
All POS POI terminal service providers must provide a secure service offering.
Service providers supporting existing POS POI terminal implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
POS POI terminals in card-present environments that can be verified as not being susceptible to any known exploits for SSL and early TLS, and the SSL/TLS termination points to which they connect, may continue using SSL/early TLS as a security control.

Requirements in this Appendix are not eligible for the Customized Approach.

Sections

A2.1 POI terminals using SSL and/or early TLS are confirmed as not susceptible to known SSL/TLS exploits.

A2. SSL/Early TLS Risk Mitigation for POS Systems

Secure payment systems using legacy cryptographic protocols while transitioning to modern encryption standards.

https://WithPCI.com

Sub-requirements

Test Points

High (5.0)

Implementation Difficulty

Control Types

Documentation

Process (3)

Technical

Key Risks

POODLE/BEAST attacks on TLS 1.0

Insecure cipher suite configurations

Lack of protocol downgrade prevention

Shared encryption keys across terminals

Frequently Asked Questions

What's the deadline for eliminating SSL/early TLS from POS environments?

Existing implementations must migrate to TLS 1.2+ by **March 31, 2025**. New deployments after PCI DSS 4.0 adoption prohibit SSL/early TLS entirely. Interim requires Risk Mitigation Plan.

How to securely configure TLS 1.0 while migrating?

1) Enable TLS_FALLBACK_SCSV, 2) Use AES-GCM instead of CBC, 3) Implement HSM-protected keys, 4) Network segmentation with IDS/IPS. Weekly vulnerability scans mandatory.

What evidence validates POS terminal encryption?

1) FIPS 140-3 validation certificates, 2) ASV scans showing protocol compliance, 3) Pen test reports targeting TLS weaknesses, 4) Cryptographic library version logs.

How are service providers held accountable for TLS compliance?

Contracts must include: 1) TLS 1.2+ migration roadmap, 2) Quarterly compliance attestations, 3) Financial penalties for non-compliance. Validate through SOC 2 Type II reports.

What monitoring detects SSL/TLS exploitation attempts?

1) WireShark-based anomaly detection, 2) SIEM rules for SSLv3 handshakes, 3) File integrity monitoring on OpenSSL libraries, 4) HSM audit logs of cryptographic operations.

Common QSA Questions

Show Risk Mitigation Plan for legacy payment terminals

Plan includes: 1) 2,450 terminals scheduled for replacement by Q3 2025, 2) MACsec encryption on all dial-up connections, 3) Quarterly firmware updates. Approved by CISO on 01/15/2025.

Demonstrate TLS 1.0 disablement in new deployments

Our CI/CD pipeline enforces: 1) OpenSSL 1.1.1+ configuration checks, 2) TLS 1.2-only flags in Ansible playbooks, 3) Automated rollback of non-compliant deployments. Git logs show 0 violations since 2024.

Provide HSM configuration for POS encryption keys

Thales payShield 9000: 1) FIPS 140-2 Level 3 validated, 2) Unique KEK per terminal group, 3) Automated key rotation every 90 days. Audit logs show 0 key compromises in 3 years.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.