photonetworkde - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

TLS encryption: Why did the PCI SSC push back the deadline?

The PCI SSC extended the deadline for organizations to update TLS encryption standards before announcing PCI DSS 3.2. Expert Mike Chapple examines the motivation behind this move.

The PCI SSC revealed that it's pushing back the deadline for enterprises to switch to a more secure version of...

TLS encryption. What's behind this push? Will this adversely affect the security of organizations subject to PCI DSS?

When the PCI SSC released PCI DSS version 3.1 last year, one of the most significant changes was the announcement that organizations must abandon early, insecure versions of TLS encryption in favor of the more secure TLS 1.1 or higher. This announcement rocked the compliance world as organizations subject to the regulation realized that the change may require the massive reworking of legacy information systems. The only saving grace was that the PCI SSC gave merchants and service providers until June 2016 to upgrade existing technology.

In a December 2015 announcement, PCI SSC backtracked from its previous stand and moved the compliance date for TLS 1.1 from June 2016, two entire years out, with a new deadline of June 2018. Stephen Orfei, general manager of PCI SSC shared that "Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks." While new technology implementations must use strong versions of TLS encryption, merchants with existing implementations have some time to complete their migrations in an orderly fashion.

Explaining the rationale behind the change in position, Orfei said, "We want merchants protected against data theft, but not at the expense of turning away business, so we changed the date."

PCI SSC last month released version 3.2 of the PCI DSS compliance standards; while PCI DSS 3.2 doesn't change the June 2018 deadline for TLS encryption upgrades, it does require organizations to show they have a strategy in place for the migration. So while companies have two years to complete the process, they will need to show how they plan to get there in order to maintain their PCI DSS compliance.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn how to create a TLS migration plan

Discover why the end of SSL and early TLS is so important for retailers

Find out how TLS 1.3 updates can ensure secure internet communications

This was last published in May 2016

Dig Deeper on PCI Data Security Standard