New date for migrating off vulnerable SSL and early TLS encryption

Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC) announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher. The previous date of June 2016 has been moved to June 2018.

The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April of 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016.

“Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in.”

“Some payment security organizations service thousands of international customers all of whom use different SSL and TLS configurations,” said Troy Leach, CTO, PCI SSC. “The migration date will be changed in the updated Standard next year to accommodate those companies and their clients. Other related provisions will also change to ensure all new customers are outfitted with the most secure encryption into the future. Still, we encourage all organizations to migrate as soon as possible and remain vigilant. Staying current with software patches remains an important piece of the security puzzle.”

In addition to the migration deadline date-change, the PCI Security Standards Council has updated:

• A new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption
• A requirement for new implementations to be based on TLS 1.1 or higher
• An exception to the deadline date for Payment Terminals, known as “POI” or
  Points of Interaction.