Which statement accurately reflects SSL and early TLS policy after the transition date?

• A. New implementations must still use SSL or early TLS.
• B. New implementations must not use SSL or early TLS; existing implementations may continue only with a formal migration plan.
• C. SSL/early TLS may be used in new deployments if approved.
• D. POS POI terminals are exempt from SSL/TLS restrictions.

Answer: (B)

After the transition date, SSL and early TLS are considered unacceptable for new deployments. The goal is to enforce modern cryptography and close known vulnerabilities in older protocol versions. Therefore, new implementations are prohibited from using SSL or early TLS. If an organization already has SSL/early TLS in use, it may continue only if there is a formal, documented migration plan with clear milestones to remove those protocols and move to TLS 1.2 or higher (ideally TLS 1.2+ or TLS 1.3) within a defined timeline. This combination—no new use and a mandated migration plan for existing deployments—is why the statement is correct. The other options imply exceptions or approvals that PCI DSS does not authorize, and there are no exemptions for any device category like POS terminals.