PCI Compliance - Deadline Moved

Organizations Using SSL and Early TLS Encryption Must Change to a secure version of TLS (currently 1.1 or Higher) by June 2018

Tue, 15th Dec 2015
By Robert Payne

gallery thumbnail

WAKEFIELD, Mass. Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC), a global forum for the development of payment card security standards, today announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher. The previous date of June 2016 has been moved to June 2018.

The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April of 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016.

“Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle.

And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in.”

“Some payment security organizations service thousands of international customers all of whom use different SSL and TLS configurations,” said Troy Leach, Chief Technology Officer, PCI SSC. “The migration date will be changed in the updated Standard next year to accommodate those companies and their clients. Other related provisions will also change to ensure all new customers are outfitted with the most secure encryption into the future. Still, we encourage all organizations to migrate as soon as possible and remain vigilant. Staying current with software patches remains an important piece of the security puzzle.” In addition to the migration deadline date-change, the PCI Security Standards Council has updated:

A new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption  A requirement for new implementations to be based on TLS 1.1 or higher. An exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.

To answer questions about the migration deadline date-change and other requirement updates, the PCI Security Standards Council has recorded a webinar that includes the National Institute of Standards and Technology (NIST), which originally reported the vulnerabilities in SSL and early versions of TLS in 2014. Expert speakers from the Assessor community, who review and grade organizations on compliance with payment security requirements, are also on the webcast. In addition, a Bulletin on Migration has been created and is available for download from the PCI Security Standards Council website.

Merchants are encouraged to contact their payment processors and / or acquiring banks for detailed guidance on upgrading their ecommerce sites to the more secure encryption offered by TLS 1.1 or higher.
This article was posted on Thu, 4th Feb 2016

More News Articles
PCI Compliance - Deadline Moved
Tue, 15th Dec 2015
WAKEFIELD, Mass. Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC), a global forum for the developme
Is Mobile Advertising Worthwhile?
Fri, 10th Aug 2012
It might be hard for some people to imagine that mobile advertising is a lot like other media channels we're already familiar with.  But if you're going to bring your young, upwardly mobile au
Website Design for Product Manufacturers
Tue, 12th Jun 2012
The highly complex, multi-faceted business of product manufacturing is enough to make the average executive's head spin. It's little wonder, then that management in this sector leave a lot of the
Mobile Strategies must Address User Expectations
Tue, 22nd May 2012
As the smartphone and tablet market continues its explosive growth, businesses are discovering the importance of understanding the web-browsing behavior and actions of mobile users. While desktop u
Road Runner Sports Brings Brand Icon to Life
Tue, 15th Mar 2011
The world’s largest running store ramped its customer service up a notch by adding an interactive touch screen kiosk application to its Perfect Fit Experience that incorporates pressure mats,