A2.1.3 Additional requirement for service providers only: All service providers provide a secure service offering.
Defined Approach Requirements
A2.1.3 Additional requirement for service providers only: All service providers provide a secure service offering.
Customized Approach Objective
This requirement is not eligible for the customized approach.
Applicability Notes
This requirement applies only when the entity being assessed is a service provider.
Defined Approach Testing Procedures
A2.1.3 Additional testing procedure for service provider assessments only: Examine system configurations and supporting documentation to verify the service provider offers a secure protocol option for its service.
Purpose
Customers must be able to choose to upgrade their POIs to eliminate the vulnerability in using SSL and early TLS. In many cases, customers will need to take a phased or gradual approach to migrate their POS POI estate from the insecure protocol to a secure protocol and so will require the service provider to support a secure offering.
Further Information
Refer to the current PCI SSC Information Supplements on SSL/Early TLS for further guidance.
purpose
Implement compensating controls for SSL/Early TLS use until migration is complete.
compliance strategies
- Network segmentation
- Additional monitoring
typical policies
- Compensating Controls Policy
common pitfalls
- Weak compensating controls
- No monitoring
type
Technical/Process Control
difficulty
High
key risks
- Interim risk of data exposure
recommendations
- Document and review compensating controls regularly
Eligible SAQ
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy