PCI DSS Dials Back on SSL/TLS 1.1 Requirement

The Payment Card Industry Security Standards Council pushes back the date for organizations to migrate away from the vulnerable encryption technology standard.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors


Organizations that need to be compliant with Payment Card Industry Data Security Standard (PCI DSS) version 3.1 are getting a reprieve on a key compliance measure. They now do not need to migrate to Transport Layer Security (TLS) version 1.1 or higher until June 2018, a two-year delay from the original data of June 2016.

The PCI DSS 3.1 standard first debuted in April, shifting away from older versions of TLS and Secure Sockets Layer (SSL) in a bid to reduce the risk of exposure from insecure data transport protocols. One of the key requirements in PCI DSS 3.1 is for organizations to disable all use of SSL version 3. SSL has been determined to be cryptographically insecure by a large volume of research, as evidenced by the POODLE vulnerability in SSL 3 that was first disclosed in October 2014.

"One of the key factors that gave us the confidence in pushing out the date to June 2018 is that, at the moment, we're not seeing criminals accessing cardholder data through these vulnerabilities," Jeremy King, international director of the PCI Security Standards Council (PCI SSC), told eWEEK.

In moving the date back, PCI SSC is trying to balance risk and operational needs, King said. That is, how does the risk associated with the added time needed to migrate to TLS 1.1 or higher balance with the potential loss of business for merchants, processors and assessors?

"What is absolutely clear is that this is not a signal to organizations to do nothing for two years. In fact, it is quite the opposite," he said. "For sure, if a company can migrate away from SSL and early TLS today, then they should do so immediately."

If it is not practical for an organization to move to TLS 1.1 or higher just yet, then the company must understand that it is at greater risk and so must take greater care, King stressed. Organizations must have clear mitigation and migration plans to deal with the time between now and their migration, and they must be very aware of strange activity related to SSL and early TLS protocols.

As to why PCI SSC is making the announcement about the TLS migration date now, during the busiest time of the year for retailers, King said the announcement is being made as early as possible after receiving and analyzing feedback from the PCI SSC's global community.

"After merchants and service providers started looking at their systems to make the shift, it became apparent to them that the migration was going to have far wider-ranging business implications than was originally thought," he said. "This made the original shift date challenging for virtually everyone."

David Picotte, manager of security engineering at Rapid7, is among those who are not surprised at PCI SSC's extension of the TLS migration deadline. Picotte said PCI SSC doesn't want the majority of merchants suddenly assessing PCI DSS in a noncompliant state because time ran out.

"It's also possible that the date gets moved forward should a new attack technique be discovered in the coming years that dramatically reduces the complexity of a successful attack," Picotte told eWEEK. "To remain secure, merchants should ensure that all new implementations use TLS 1.1 or above."

Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said there is no question that the migration away from SSL and early TLS is absolutely necessary to protect payment data and other sensitive data types. Extending the migration deadline is a pragmatic concession by PCI SSC that some legacy hardware environments will be very difficult to patch or update, he added.

"Some of the most vulnerable environments, such as e-commerce, have already migrated or efforts should be well underway," Sadowski told eWEEK. "Despite the extension, organizations that are affected are generally aware that they should not be waiting another two years to address this well-known vulnerability."

From a PCI DSS standard perspective, a formal update set to be released in 2016 that will codify the migration date move as well as provide additional changes to PCI DSS. King said 2016 is already scheduled to be a PCI DSS standard update year, as per the PCI SCC's standards development life cycle. It's not clear yet if the 2016 update will still be called PCI DSS 3.1 or if it will be given a new number.

"We are conscious that too many changes in quick succession can cause confusion to the marketplace, so we are currently looking at how best to proceed," King said. "Therefore, the version iteration has not yet been finalized. As soon as it is, we will let everyone know."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.