photonetworkde - Fotolia
The PCI SSC revealed that it's pushing back the deadline for enterprises to switch to a more secure version of TLS encryption. What's behind this push? Will this adversely affect the security of organizations subject to PCI DSS?
When the PCI SSC released PCI DSS version 3.1 last year, one of the most significant changes was the announcement that organizations must abandon early, insecure versions of TLS encryption in favor of the more secure TLS 1.1 or higher. This announcement rocked the compliance world as organizations subject to the regulation realized that the change may require the massive reworking of legacy information systems. The only saving grace was that the PCI SSC gave merchants and service providers until June 2016 to upgrade existing technology.
In a December 2015 announcement, PCI SSC backtracked from its previous stand and moved the compliance date for TLS 1.1 from June 2016, two entire years out, with a new deadline of June 2018. Stephen Orfei, general manager of PCI SSC shared that "Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks." While new technology implementations must use strong versions of TLS encryption, merchants with existing implementations have some time to complete their migrations in an orderly fashion.
Explaining the rationale behind the change in position, Orfei said, "We want merchants protected against data theft, but not at the expense of turning away business, so we changed the date."
PCI SSC last month released version 3.2 of the PCI DSS compliance standards; while PCI DSS 3.2 doesn't change the June 2018 deadline for TLS encryption upgrades, it does require organizations to show they have a strategy in place for the migration. So while companies have two years to complete the process, they will need to show how they plan to get there in order to maintain their PCI DSS compliance.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn how to create a TLS migration plan
Discover why the end of SSL and early TLS is so important for retailers
Find out how TLS 1.3 updates can ensure secure internet communications
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.