PCI SSC has officially announced the postponement of the deadline for the use of unsecure cryptographic SSL protocol with the June 2016 to June 2018. The decision was made in response to requests representatives of industry and information security community experts.
“The first reviews have shown that the transition to a more secure encryption is technically simple, but in the practical implementation in businesses had many problems voiced during the dialogue with sellers of services, processing companies and banks”, – said Stephen Orfei, head of PCI SSC.
“We want to protect the payment service providers from the data theft, but not by the cost of loss of business, therefore, we decided to change the date, – said Orfei. – Global payments ecosystem is very complex, especially regarding the increased use of mobile devices for business.
Consideration of the new requirements imposed by mobile phones, in addition to the upgrade SHA-1 browsers and the transition to EMV-cards in the US – this is a very large amount of tasks. Therefore, it is necessary to give more time to implement the new industry standard. We are working with the industry at all levels of the ecosystem, making every effort to beat the bad guys who want to crack the cryptographic. ”
The previous deadline for migration to TLS 1.1 or higher – June 2016, – has been fixed in the latest version of the PCI DSS (3.1), published in April of this year. The new deadline date will be included in the next version of the industry standard, which is expected to be released next year.
“Some organizations specializing in the protection of electronic payments, has thousands of customers around the world, with different settings SSL and TLS, – said Troy Leach, CTO of PCI SSC.
Limited migration date will be changed in the new version of the standard, planned for next year, so that these companies and their customers had to meet the deadline. It will also change other related provisions, to provide strong encryption for all future customers. Nevertheless, we urge the organization to make the transition as soon as possible. Timely application of software patches – an important element of information security. “