What must be in place for SSL/early TLS implementations prior to the transition date and for new implementations?

• A. No preparation is required.
• B. A formal Risk Mitigation and Migration Plan is required only for new deployments.
• C. A formal security audit is sufficient.
• D. A formal Risk Mitigation and Migration Plan must be in place for existing SSL/early TLS implementations; new implementations must not use SSL or early TLS.

Answer: (D)

PCI DSS requires retirement of SSL and early TLS by a transition date and mandates a formal Risk Mitigation and Migration Plan. For any existing SSL/early TLS implementations before that date, there must be a documented plan detailing the steps, timeline, testing, and resources to migrate to newer, secure protocols. For new deployments, SSL or early TLS must not be used at all. This combination ensures a deliberate, auditable path to eliminating insecure configurations rather than leaving it to chance.

Options claiming no preparation is needed miss the deadline-driven requirement. Saying the plan is only for new deployments ignores the need to remediate existing systems. Relying on a formal security audit alone ignores the necessity of a concrete migration plan to actually retire insecure protocols.