The group that sets security standards for the payment card industry has decided to delay a requirement that will force payment processors to upgrade to a stronger version of TLS, the standard Web transport encryption protocol.
Back in April, the PCI Security Standards Council released a new version of the PCI Data Security Standard, which included a requirement that processors such as banks, retailers, and others migrate to TLS 1.1 or higher. The requirement is the result of a number of high-profile vulnerabilities and weaknesses discovered in various versions of SSL, the precursor protocol to TLS. The most serious of these bugs is the infamous Heartbleed flaw in OpenSSL that allowed an attacker to recover private keys from target sites. In the aftermath of the Heartbleed disclosure, the National Institute of Standards and Technology, which sets technical standards for the federal government, declared TLS 1.0 to be unsafe.
The PCI DSS 3.1 requirement released in April originally said that payment processors would need to migrate to TLS 1.1 or higher by June 2016. But, after receiving feedback from banks and other organizations subject to the standard, the council decided to delay the requirement until June 2018.
“Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager of PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle.”
The PCI DSS standard is a set of security regulations that applies to organizations that accept card payments. The PCI Security Standards Council, which controls the standards, comprises the big credit card companies, including American Express, Discover, and Visa.
Image from Flickr stream of John St. John.