A2.1 POI terminals using SSL and/or early TLS are confirmed as not susceptible to known SSL/TLS exploits.
This requirement focuses on ensuring that Point of Interaction (POI) terminals using SSL and/or early TLS are not vulnerable to known exploits. It ensures that merchants verify their POI terminals are secure, and that service providers have proper risk mitigation plans and secure service offerings.
Sub-requirements
- A2.1.1 : Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols.
- A2.1.2 : Additional requirement for service providers only: All service providers with existing connection points to POS POI terminals that use SSL and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration Plan in place.
- A2.1.3 : Additional requirement for service providers only: All service providers provide a secure service offering.
A2.1. SSL/Early TLS Risk Mitigation for POS POI Terminals
Manage risks associated with SSL/early TLS usage in card-present environments while working toward cryptographic protocol upgrades.
Key Risks
Frequently Asked Questions
Can we implement new POS terminals using SSL/early TLS?
**No** - All new POS POI terminal implementations after PCI DSS 4.0 adoption must use TLS 1.2+ with approved cipher suites (e.g., AES-GCM). Legacy protocol use is strictly prohibited for new deployments.
What must a Risk Mitigation Plan include?
Required elements: 1) Inventory of affected systems, 2) Quarterly vulnerability validation, 3) Cryptographic protocol upgrade timeline, 4) Compensating controls (e.g., network segmentation), 5) Service provider commitments.
How often must SSL/TLS vulnerabilities be checked?
**Monthly** automated scans using tools like Qualys SSL Labs, plus **immediate** checks after new CVEs are published. Maintain records of all checks for 3 years.
What evidence shows POS terminals aren't susceptible to known exploits?
Provide: 1) ASV scan reports with SSL/TLS compliance checks, 2) Penetration test results targeting protocol vulnerabilities, 3) HSM configuration logs showing proper cipher suite enforcement.
Are cloud-based POS systems exempt from these requirements?
**No** - Applies to all POS POI terminals regardless of deployment model. Cloud implementations must use TLS 1.2+ termination points and provide cryptographic proof of protocol security.
Common QSA Questions
Show your formal Risk Mitigation and Migration Plan
Our plan includes: 1) 450 legacy terminals scheduled for TLS 1.2 upgrades by Q3 2025, 2) Network segmentation using VLANs with IPS monitoring, 3) Weekly vulnerability checks via Tenable.io. Approved by CISO on 01/15/2025.
Demonstrate SSL/TLS termination point security
We use F5 BIG-IP LTM with: 1) TLS 1.2-only configuration, 2) ECDHE-ECDSA-AES256-GCM-SHA384 cipher suite, 3) HSM-backed certificates. Evidence includes SSL Labs A+ rating reports and ASV scan compliance.
Provide service provider compliance evidence
Maintain: 1) Payment processor's TLS 1.3 migration roadmap, 2) Quarterly SOC 2 reports showing protocol compliance, 3) Contractual SLAs for vulnerability remediation <72 hours. Last audit confirmed 100% TLS 1.2+ usage.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy