The Payment Card Industry Security Standards Council (PCI SSC) recently announced that organizations which process payments, need to migrate to the latest version of TLS encryption (transport layer security, currently version 1.1 or higher) by latest June 2018. The change of the date was an adjustment from the last PCI Data Security Standard (version 3.1, published in April 2015), which originally had the migration deadline by June 2016.
The extended deadline was in response to feedback from the global PCI community and security experts, wherein it was observed that secure encryption needs to be further promoted to protect merchants from data theft.
On the change of date, Stephen Orfei, General Manager of PCI SSC, said, “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world.”
The urgency to have payment processors update to a TLS encryption protocol was because of the POODLE (padding oracle on downgraded legacy encryption) vulnerability found on earlier SSL (secure sockets layer) encryption versions. This vulnerability on SSL protocols makes online and e-commerce payment processors more susceptible to data breaches.
TLS supersedes SSL encryption by offering a more secure connection. A key improvement from its SSL predecessor is a “handshake” feature: TLS requires further verification before transmitting data between two authorized servers.
The PCI SSC has recorded a webinar to address issues about the migration deadline. A Bulletin on Migration can also be downloaded to help merchants update their encryption.