On February 13, 2015, the Payment Card Industry Security Standards Council (PCI SSC) released a bulletin announcing that it will publish revised versions of the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS).

The revised standards, which will be published as PCI DSS v3.1 and PA-DSS v.3.1, will provide that no version of the Secure Sockets Layers (SSL) protocol, a cryptographic protocol designed to secure communications over computer networks, meets the PCI SSC’s definition of “strong cryptography.” This change reflects the National Institute of Standards and Technology's finding that SSL v3.0 is no longer acceptable for data protection. In addition, the revised standards will include minor updates and clarifications.

Although the revised standards will be effective upon publication, the new requirements will be future-dated to allow organizations time to implement the changes. Until the revisions are published, the PCI SSC urges organizations to determine whether they are using SSL and, if so, to upgrade to a strong cryptographic protocol.

Update: On April 15, 2015, the PCI SSC released a bulletin announcing the publication of version 3.1 of the PCI DSS, which will be effective immediately. Version 3.0 of the PCI SSC will be retired on June 30, 2015.