PCI Watch

PCI DSS Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS applies wherever SSL/early TLS is used as a security control that impacts cardholder data or the cardholder data environment. While Appendix A2 identifies PCI DSS Requirements 2.2.3, 2.3, and 4.1 as examples of requirements directly affected by the use of SSL/early TLS, applicability of the Appendix is not limited to these three requirements. The impact to all requirements must be considered, and Appendix A2 must be completed if SSL/early TLS is being used to meet any PCI DSS requirement.

For example; per Requirement 8.2.1, strong cryptography must be used to render all authentication credentials unreadable during transmission and storage on all system components. Since SSL/Early TLS does not constitute strong cryptography, it cannot be used to satisfy this requirement. Organizations using SSL/early TLS for this purpose must have a Risk Mitigation and Migration Plan in place to migrate to a strong cryptographic protocol as soon as possible.

Additionally, because SSL/early TLS is considered an insecure protocol, its allowed use through firewalls must be documented and approved, with security features documented and implemented, in accordance with Requirement 1.1.6. Similarly, the presence of SSL/Early TLS on a system component must be justified in accordance with documented configuration standards per Requirement 2.2.2. If SSL/early TLS is enabled but is not necessary for the function of the system, the protocols must be disabled.

If SSL/early TLS is present but is not being used as a security control, Appendix A2 would not apply. However, the use of SSL/early TLS must still be documented and addressed in accordance with applicable requirements surrounding the presence of insecure protocols.

Additional guidance on migrating away from SSL/early TLS can be found in the Information Supplement: Migrating from SSL and Early TLS, available in the PCI SSC Document Library.