The Payment Card Industry Security Standards Council (PCI SSC) extends the migration completion date to 30 June 2018 for transitioning to a secure version of TLS-what does this mean for businesses?
SSL (Secure Sockets Layer) has been used as a widely used encryption protocol on websites for more than 20 years. Since April 2015 The PCI SSC have been concerned that this was no longer the most secure method of cryptography as a number of vulnerabilities have been highlighted which are unable to be patched or repaired. This meant that SSL no longer could be relied on as security control for PCI DSS compliance and a migration completion date from SSL to a minimum of TLS 1.1 by June 2016 became a requirement for processing and third party entities.
How do you know what security a website is using?
A secure website page will have ‘// ‘ at the start of the website address. This will be preceded by a padlock icon. If you click on the icon, it will bring up a window, telling you your connection to the site is private. If you then click on details beside this it will give you a security overview showing that the certificate is valid, it has a secure TLS connection and that the resources on the page are served securely.(try it on our Securious site as an example).
Why should SSL be upgraded to a minimum of TLS 1.1?
SSL It is used between systems to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between them. If a website is using SSL or early versions of TLS then it is vulnerable to threats such as ‘man in the middle’ attacks. The PCI SSC has said:
The vulnerabilities within SSL and early TLS are serious. A slew of high-profile breaches caused by POODLE, Heartbleed and Freak are due to weaknesses within the protocols.
Early migration to TLS 1.1 strongly recommended
The PCI SSC has said:
The new date of June 2018 offers additional time to migrate to more secure protocols, but waiting is not recommended. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.
To find out more about how Securious can help you with PCI DSS compliance, see our PCI DSS and credit card security page or call us for a no obligation chat on 01837 871247