PCI SSC extends migration from SSL to TLS to 30 June 2018

PCI Compliance PCI DSS Compliance by SecuriousThe Payment Card Industry Security Standards Council (PCI SSC) extends the migration completion date to 30 June 2018 for transitioning to a secure version of TLS-what does this mean for businesses?

SSL (Secure Sockets Layer) has been used as a widely used encryption protocol on websites for more than 20 years.  Since April 2015 The PCI SSC have been concerned that this was no longer the most secure method of cryptography as a number of vulnerabilities have been highlighted  which are unable to be patched or repaired.  This meant that SSL no longer could be relied on as security control for PCI DSS compliance and a migration completion date from SSL to a minimum of  TLS 1.1 by June 2016  became a requirement for processing and third party entities.

How do you know what security a website is using?

A secure website page will have ‘// ‘ at the start of the website address. This will be preceded by a padlock icon. If you click on the icon, it will bring up a window, telling you your connection to the site is private. If you then click on details beside this it will give you a security overview showing that the certificate is valid, it has a secure TLS connection and that the resources on the page are served securely.(try it on our Securious site as an example).

Why should SSL be upgraded to a minimum of TLS 1.1?

SSL It is used between systems to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between them. If a website is using SSL or early versions of TLS then it is vulnerable to threats such as ‘man in the middle’ attacks.  The PCI SSC has said:

The vulnerabilities within SSL and early TLS are serious. A slew of high-profile breaches caused by POODLE, Heartbleed and Freak are due to weaknesses within the protocols.

Early migration to TLS 1.1 strongly recommended

The PCI SSC has said:

The new date of June 2018 offers additional time to migrate to more secure protocols, but waiting is not recommended. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.

PCI SSC Bulletin on migrating fro SSL and early TLS 

 

To find out more about how Securious can help you with PCI DSS compliance, see our PCI DSS and credit card security page or call us for a no obligation chat on 01837 871247

 Securious is a data & cyber security company based in Devon serving businesses and organisations across the South West and beyond. We offer rapid Cyber Essentials certification, ISO 27001 Compliance and PCI DSS Compliance as well as PEN testing (penetration testing) and cyber security consultancy. 

 

 

MOD requires Cyber Essentials as baseline requirement -supplier contracts from January 2016
Cyber security experts 'charge £10,000 a day to protect UK's top firms'