Compliance , Encryption , PCI

PCI Council Extends Encryption Deadline Requirement to Phase Out SSL, Early TLS Pushed to 2018
PCI Council Extends Encryption Deadline
Jeremy King, international director, PCI Security Standards Council

The PCI Security Standards Council has extended its compliance deadline for encryption updates aimed at phasing out vulnerable protocols for Secure Sockets Layer encryption and Transport Layer Security 1.0. Nevetheless, Jeremy King, the council's international director, says merchants, processors and acquirers should not wait to make upgrades.

The vulnerabilities within these protocols are considered serious, the PCI council points out. Over the past two years, many highly-publicized breaches caused by the likes of Heartbleed and Poodle resulted from weaknesses within the protocols. And, according to According to the National Institute of Standards and Technology, no current fixes or patches can repair SSL or early TLS.

But to ensure that merchants are able to maintain PCI compliance while working toward enhancing their encryption practices, King says the council agreed to push back the compliance deadline to June 2018. The deadline had been June 2016.

"One of the key requirements that we always wanted to ensure through the PCI-DSS is the protection of cardholder data throughout the transaction lifecycle," King says in an interview with Information Security Media Group. "And one of the rules we've had from the very start of the first iteration of that is that cardholder data must be encrypted when transmitted across an open, public network."

For nearly two decades, the standard protocols for encrypting cardholder data have been SSL and TLS, he says. "The problem we had was that because it's been around for a long time, criminals were gradually working out how to attack it, and how to defeat it," King says.

In April 2014, NIST downgraded SSL and early TLS, noting that neither protocol provides sufficient encryption, he points out. NIST's downgrade required the council to update version 3.0 of the PCI-DSS, which still relied on SSL and early TLS, King says.

Last year, the council updated the PCI-DSS to include requirements for phasing out SSL and early TLS, and said the changes had to be made by June 2016.

Reason for Delay

But phasing out SSL and early TLS has proved more daunting than initially expected, King says. "We're beginning to realize that we've underestimated not only the impact of actually removing it, switching it out ... but the business impact," he says.

Delaying the requirement to replace SSL and early TLS will give businesses more time to address operational changes that need to made as part of the transition, King adds.

During this interview (see audio link below photo), King discusses:

  • How the council is working to educate qualified security assessors about the compliance date change, which won't be reflected in the PCI-DSS until the end of the first quarter of 2016;
  • Why detecting attacks that aim to exploit SSL and early TLS vulnerabilities should be easy in the coming months; and
  • Steps businesses can take now to ensure they are properly upgrading systems and platforms.

King leads the PCI Security Standards Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI-managed standards in European markets and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.




Around the Network