What migration planning requirement applied to SSL or early TLS implementations is true for prior to the specified date?

• A. Prior to 30 June 2016, existing SSL/early TLS implementations must have a formal Risk Mitigation and Migration Plan in place; new implementations must not use SSL or early TLS.
• B. They could continue using SSL/early TLS without a migration plan if they were already in place.
• C. There is no migration plan requirement.
• D. SSL/early TLS must be replaced with WEP immediately.

Answer: (B)

The key idea is that PCI DSS’s deadline is about stopping the use of SSL and early TLS by a set date, not about mandating a formal migration plan for every deployment before that date. Before the specified date, existing SSL/early TLS deployments could continue operating without a formal migration plan in place, giving organizations time to upgrade. The emphasis is on complying with the deprecation deadline rather than requiring an upfront, documented migration plan for every system already using those protocols. The other options either imply a mandatory plan for new implementations, introduce an unrelated or outdated requirement, or state something too absolute.