The Payment Card Industry Security Standards Council (PCI SSC) has set a new deadline for when organizations that process payments should complete the migration off vulnerable SSL and early TSL encryption.
Initially set to June 2016, the migration date has been pushed back two years, to June 2018, the global forum for the development of payment card security standards announced (PDF), giving payment processing entities more time to fully implement the TLS 1.1 encryption or higher in their systems.
PCI SSC included the initial deadline for the migration in the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April 2015. The Council also announced that the new deadline date will be included in the next version of the PCI Data Security Standard, which should be issued next year.
According to Stephen Orfei, General Manager at the PCI SSC, while early market feedback revealed that the migration to a more secure standards would be technically simple, a variety of business issues emerged after continuing the dialog with merchants, payment processors and banks. The Council decided to push back the date to ensure that all businesses can implement the better standard to keep merchants safe from data theft.
“The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in,” Orfei said.
The PCI Security Standards Council also announced that they decided on a new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption. Additionally, the Council updated a requirement for new implementations to be based on TLS 1.1 or higher, along with an exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.
According to Troy Leach, Chief Technology Officer at the PCI SSC, while the migration date has been changed to accommodate payment security companies that service thousands of international customers “all of whom use different SSL and TLS configurations,” all companies are encouraged to migrate to the more secure standards as soon as possible, to ensure they can keep up with new developments in security.
Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi, disagrees with the decision for the PCI Council to extend the deadline.
“Those organizations that have not started this migration process yet must act swiftly to move away from weak SSL. Staying on SSL affords even more cybercriminals the opportunity to exploit the weakness and gain trusted status,” Bocek told SecurityWeek.
“Heartbleed, Shellshock and POODLE were all industry wake–up calls over the past two years that we need stronger encryption and we need to secure keys and certificates,” he added. “If we don’t move quickly to eliminate SSL, we’re just waiting for another, and possibly even more detrimental, Heartbleed or POODLE to happen.”
“SSL is dead – we must find it, eliminate it, and get to strong TLS as soon as possible, regardless of the PCI Security Council’s decision,” Bocek concluded. “Our role as defenders of our businesses and governments – of the world’s global economy and safety – is not to follow compliance rules but secure and protect. Moving to TLS as fast as possible is part of this responsibility.”
The PCI Council encourages merchants to contact their payment processor and/or acquiring banks to receive details and guidance on how they can update their ecommerce sites to the TLS 1.1 or higher encryption.
*Updated with commentary from Kevin Bocek.