In a surprise move, the Payment Card Industry Security Standards Council pushed back a crucial PCI DSS 3.1 deadline...
date for encryption protocols.
PCI DSS 3.1, which was released in April, had originally set the deadline for TLS migration for June, 2016, which gave organizations a little over a year to move off of early, vulnerable versions of TLS. However, the PCI SSC extended the deadline for TLS migration after the council received "significant feedback from the global PCI community and security experts."
"Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks," said Stephen Orfei, general manager of the PCI SSC, in a press statement. "We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world."
"If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the U.S., that's a lot to handle,"Orfei continued. "And it means it will take some time to get everyone up to speed. We're working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in."
The PCI DSS 3.1 release earlier this year was primarily intended to address concerns about the Secure Sockets Layer (SSL) and TLS encryption protocols that had been hit with major vulnerabilities like Heartbleed and POODLE.
Despite the extension, the PCI SSC recommended that enterprises conduct their TLS migrations as soon as possible. In addition, the council said payment or "points of interaction" terminals are now exempt from the TLS migration deadline and can use SSL and early TLS beyond June, 2018, because there is "no demonstrative risk" to those devices.
The council's deadline revision announcement also includes new requirements for payment service providers to begin offering more secure versions of TLS and for all new implementations of TLS to support only version 1.1 or higher.
Get a closer look at the changes of PCI DSS version 3.1 beyond SSL/early TLS requirements