By John Stewart
Acting in response to comment from the industry, the PCI Security Standards Council has extended a key security deadline for payments processors, merchants, and banks by fully two years. These players now have until June 30, 2018, to stop using Secure Sockets Layer (SSL) encryption and instead move to advanced forms of a protocol known as Transport Layer Security (TLS).
SSL is used to establish an encrypted link between a Web site and a server, such as an e-commerce site.
Until Friday’s announcement, the Wakefield, Mass.-based council’s deadline was June 30, 2016. That date was published in the latest version of its Payment Card Industry data-security standard, PCI-DSS 3.1, which came out in April. It was also stated in a 7-page document the council also published in April called “Migrating from SSL And Early TLS.”
In addition to the new deadline, the council now requires that processors replace SSL and early TLS encryption with a version of TLS no earlier than version 1.1. The new deadline and requirements will be included in an update of the PCI DSS, which is expected some time next year.
The deadline extension results from “business issues” the council heard about from the industry, council officials say. In particular, the council says, it found that merchants, processors, and financial institutions are already fully occupied with payments projects such as the nationwide conversion to the EMV chip card standard. On top of that, merchants and acquirers are working to equip points of sale to accept mobile wallets now being offered by major companies such as Apple Inc., Google Inc., and JPMorgan Chase & Co.
“We want merchants protected against data theft, but not at the expense of turning away business, so we changed the date,” said Stephen Orfei, general manager of the council, in a statement. Orfei said replacing SSL would be “technically simple” at most organizations, but point-of-sale and related projects industry players are currently tackling amount to “a lot to handle” for the time being.
While two years may strike some observers as a long extension for such a critical changeover, Orfei said the council is not unaware of the risks. “It will take some time to get everyone up to speed,” he said. “We’re working very hard with representatives from every part of the ecosystem to make sure it happens before the bad guys break in.”
Indeed, though the new deadline falls in 2018, the council is advising industry players to make the change sooner. New e-commerce sellers, in particular, should adopt more recent versions of TLS from the start, it says. “We encourage all organizations to migrate as soon as possible and remain vigilant,” said Troy Leach, chief technology officer at the council, in a statement. “Staying current with software patches remains an important piece of the security puzzle.”
Encryption masks sensitive data like credit and debit card account numbers with mathematically derived replacement values that are extremely difficult to crack without access to the encryption key.
Security experts in recent years have pointed to weaknesses in the SSL protocol, which was originally devised by Netscape, an early Web-browser developer, in the early 1990s. In the face of widespread data breaches over the past several years, standards bodies such as the National Institute of Standards & Technology (NIST), have downgraded SSL’s effectiveness.
Under the revised rules released Friday, the 9-year-old TLS 1.1 protocol is the minimum requirement. The council recommends that processors and other industry players move to version 1.2, introduced in 2008.
Nor should merchants and payments organizations try to fix SSL, the council says. “According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS,” it says in a bulletin it issued Friday.