WithPCI Logo
WithPCI.com

A2.1.2 Additional requirement for service providers only: All service providers with existing connection points to POS POI terminals that use SSL and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration Plan in place.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

A2.1.2 Additional requirement for service providers only: All service providers with existing connection points to POS POI terminals that use SSL and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration Plan in place that includes:

  • Description of usage, including what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, and type of environment.
  • Risk-assessment results and risk-reduction controls in place.
  • Description of processes to monitor for new vulnerabilities associated with SSL/early TLS.
  • Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments.
  • Overview of migration project plan to replace SSL/early TLS at a future date.

Customized Approach Objective

This requirement is not eligible for the customized approach.

Applicability Notes

This requirement applies only when the entity being assessed is a service provider.

Defined Approach Testing Procedures

A2.1.2 Additional testing procedure for service provider assessments only: Review the documented Risk Mitigation and Migration Plan to verify it includes all elements specified in this requirement.

Purpose

POS POI termination points, including but not limited to service providers such as acquirers or acquirer processors, can continue using SSL/early TLS when it can be shown that the service provider has controls in place that mitigate the risk of supporting those connections for the service provider environment.

Good Practice

Service providers should communicate to all customers using SSL/early TLS about the risks associated with its use and the need to migrate to a secure protocol.

Definitions

The Risk Mitigation and Migration Plan is a document prepared by the entity that details its plans for migrating to a secure protocol and describes controls the entity has in place to reduce the risk associated with SSL/early TLS until the migration is complete.

Further Information

Refer to the current PCI SSC Information Supplements on SSL/Early TLS for further guidance on Risk Mitigation and Migration Plans.

purpose

Restrict use of SSL/Early TLS to POS POI terminals that can be verified as not susceptible to known exploits.

compliance strategies

  • Vulnerability assessments
  • Vendor documentation

typical policies

  • POS Terminal Security Policy

common pitfalls

  • Unsupported terminals
  • No vulnerability validation

type

Technical/Process Control

difficulty

High

key risks

  • Terminal compromise via protocol exploits

recommendations

  • Replace or upgrade at-risk terminals

Eligible SAQ

  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy