Following significant feedback from the global PCI community and security experts, the PCI Security Standards Council (PCI SSC) has extended the migration completion date for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher) to 30 June 2018.
This change gives organisations struggling to move away from SSL and TLS v1.0, for example because of legacy application or customer support issues, an extra two years to completion their migration.
Note that while the new date does grant extra time to complete the migration, the PCI SSC is still encouraging organisations to complete their migration as soon as possible in order to address their exposure to known exploits.
Until the migration is complete, it is expected that organisations will have developed their Risk Mitigation and Migration Plan documents identifying how and where the insecure protocols are used, planning their migration to newer, secure protocols and implementing risk mitigation measures to reduce their susceptibility to known exploits in the meantime.
The PCI DSS requirements affected by SSL & early TLS and hence impacted by this change to the deadline date are:
|2.2.3||Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.|
|2.3||Encrypt all non-console administrative access using strong cryptography.|
|4.1||Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.|
|8.2.1||Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.|
The 30 June 2018 migration date does not apply in all cases. The PCI SSC’s revisions call out some exceptions:
- All ‘processing and third party entities’ (i.e. Acquirers, Processors, Payment Gateways, Virtual Terminal Providers and other Service Providers) must provide a TLS v1.1 or greater Service Offering by 30 June 2016.
- The PCI DSS v3.1 exception allowing for use of SSL/early TLS within a Point of Interaction (POI) terminal and its termination point verified as not being susceptible to all known exploits for SSL and early TLS, has been extended to allow for their continued use beyond June 2018.
Full details of the revisions can be found in the official PCI SSC bulletin on this announcement here
The PCI SSC has also published a webinar discussing the vulnerabilities and risks associated with SSL and early TLS, and how migration can work to ensure compliance with the PCI DSS requirements. The webinar can be accessed here
The original SSL/TLS migration guide released with PCI DSS v3.1 can also be downloaded from the PCI SSC document library
The new deadline date of June 2018 will be included in the next version of the PCI Data Security Standard, which is expected in 2016 – watch this space for news as we have it!
If you are a merchant that requires technical or PCI DSS help, please click here