Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PCI Council Extends Deadline to Migrate Off Vulnerable SSL Encryption

The Payment Card Industry Security Standards Council (PCI SSC) has set a new deadline for when organizations that process payments should complete the migration off vulnerable SSL and early TSL encryption.

The Payment Card Industry Security Standards Council (PCI SSC) has set a new deadline for when organizations that process payments should complete the migration off vulnerable SSL and early TSL encryption.

Initially set to June 2016, the migration date has been pushed back two years, to June 2018, the global forum for the development of payment card security standards announced (PDF), giving payment processing entities more time to fully implement the TLS 1.1 encryption or higher in their systems.

PCI SSC included the initial deadline for the migration in the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April 2015. The Council also announced that the new deadline date will be included in the next version of the PCI Data Security Standard, which should be issued next year.

According to Stephen Orfei, General Manager at the PCI SSC, while early market feedback revealed that the migration to a more secure standards would be technically simple, a variety of business issues emerged after continuing the dialog with merchants, payment processors and banks. The Council decided to push back the date to ensure that all businesses can implement the better standard to keep merchants safe from data theft.

“The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in,” Orfei said.

The PCI Security Standards Council also announced that they decided on a new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption. Additionally, the Council updated a requirement for new implementations to be based on TLS 1.1 or higher, along with an exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.

According to Troy Leach, Chief Technology Officer at the PCI SSC, while the migration date has been changed to accommodate payment security companies that service thousands of international customers “all of whom use different SSL and TLS configurations,” all companies are encouraged to migrate to the more secure standards as soon as possible, to ensure they can keep up with new developments in security.

Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi, disagrees with the decision for the PCI Council to extend the deadline.

“Those organizations that have not started this migration process yet must act swiftly to move away from weak SSL. Staying on SSL affords even more cybercriminals the opportunity to exploit the weakness and gain trusted status,” Bocek told SecurityWeek.

Heartbleed, Shellshock and POODLE were all industry wake–up calls over the past two years that we need stronger encryption and we need to secure keys and certificates,” he added. “If we don’t move quickly to eliminate SSL, we’re just waiting for another, and possibly even more detrimental, Heartbleed or POODLE to happen.”

“SSL is dead – we must find it, eliminate it, and get to strong TLS as soon as possible, regardless of the PCI Security Council’s decision,” Bocek concluded. “Our role as defenders of our businesses and governments – of the world’s global economy and safety – is not to follow compliance rules but secure and protect. Moving to TLS as fast as possible is part of this responsibility.” 

The PCI Council encourages merchants to contact their payment processor and/or acquiring banks to receive details and guidance on how they can update their ecommerce sites to the TLS 1.1 or higher encryption.

*Updated with commentary from Kevin Bocek.

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...