In April 2015 the PCI Security Standards Council announced a sunset date for the use of SSL v3 and TLS 1.0 which are also codified in PCI DSS v3.1. In the middle of December 2015 the PCI Security Standards Council has revised this deadline for the SSL and TLS migration to June 30, 2018.

In our opinion this shift in dates poses a security risk, especially in view of the slightly confusing communication from the PCI SSC. While we share this information with you and will happily accept migration plans for SSL v3 and TLS 1.0 that show completion dates up to June 30, 2018, we still urge you to move away from the unsecure versions of SSL and TLS as soon as possible.

Information from the PCI Council about the SSL and TLS migration shift

Announcement from the PCI Council

PCI Council published with the announcement and bulletin from mid of December 2015 the shift of the deadline dates for use of SSL v3 and TLS 1.0 to June 2018.

read the announcement

Bulletin from the PCI Council

The bulletin explains the reasons of the shift. It includes a Q&A section explaining what to do, actions to minimize risk, how to communicate with the ASV about the exceptions, and so on.

read the Bulletin

Supplemental from the PCI Council

The supplemental includes definitions for “new and existing implementations”, explains the principals of a risk mitigation and corresponding risk mitigation plan, and a Q&A section.

read the Supplemental

An overview of the update

  • sunset date for SSL v3 and TLS 1.0 is moved to June 30, 2018
  • POI devices may continue to use SSL v3/TLS 1.0 after June 30, 2018 if it can be shown that they are not susceptible to all known expolist for SSL and early TLS
  • a new version of the PCI DSS standard will be published in first quarter of 2016 to reflect the changes

It is announced that the revision will state the following:

  1. All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016.
  2. Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater. TLS 1.2 is recommended. (New implementations are when there is no existing dependency on the use of the vulnerable protocols – see PCI SSC Information Supplement: Migrating from SSL and Early TLS.)
  3. All entities must cutover to use only a secure version of TLS (as defined by NIST) effective June 30, 2018 (with the following exception).
  4. The use of SSL/early TLS within a Point of Interaction (POI) terminal and its termination point that can be verified as not being susceptible to all known exploits for SSL and early TLS, with no demonstrative risk, can be used beyond June 2018 consistent with the existing language in PCI DSS v3.1 for such an exception.

Webinar from PCI Council

external link to the webinar from PCI Council

Topics covered include:

  • Understanding the vulnerabilities and risk
  • Migrating to TLS 1.1 and higher
  • Addressing impact to POS and POI environments
  • Changes affecting ASV scans
  • How mitigation can work to ensure compliance

This webinar from the PCI Council explains the decision and the next steps from a PCI Council’s point of view. Learn how to address the risks associated with Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) encryption protocols now to protect your data and your customers. Download the webinar featuring insights and recommendations from the National Institute of Standards and Technology (NIST) and the PCI Council experts.

Voices in the media

We collected some articles in the media which were published about this theme.

[show-logos orderby='none' category='0' activeurl='new_nofollow' style='boxhighlight' interface='hcarousel' tooltip='false' description='false' limit='0' filter='false' carousel='ticker,4000,true,false,40000,10,true,false,true,1,0,1' /]

Questions? Please contact us!