TLS v1.1 Deprecation

Jeff Lasker

As of March 25, 2021, the Internet Engineering Task Force (IETF) released RFC 8996, which formally deprecated the use of TLS v1.1—a deprecation that is a result of evolving cryptographic standards. Some of the primary reasons for the shift to TLS 1.2 include:

Versions 1.1 and 1.0 lack support for current and recommended cryptographic algorithms and mechanisms.
Versions 1.1 and 1.0 require the implementation of older cipher suites that are no longer desirable for cryptographic reasons.
There is a lack of support for current recommended cipher suites, especially authenticated encryption with associated data (AEAD) ciphers, which were not supported prior to TLS 1.2.
The integrity of the handshake depends on SHA-1 hash, allowing an attacker to impersonate a server when it is able to break the severely weakened SHA-1 hash.

(Please refer to the RFC for full details.)

As PCI QSAs, we are often asked which TLS protocols are acceptable for use regarding the cardholder data environment. Though the PCI DSS itself does not mandate specific industry standards for meeting strong cryptography, it does recommend that entities monitor changes to industry standards and best practices for cryptographic protocols, and where applicable, make changes to apply minimum cryptographic standards within their environments, especially with respect to securing sensitive information such as authentication credentials and cardholder data. Furthermore, PCI DSS actually does require that all cryptographic implementations—including TLS—use and support modern cryptographic algorithms, secure configuration settings, and other features as needed to meet the intent of strong cryptography.

As is actually stated in FAQ #1491, “this means that every TLS implementation, irrespective of the protocol version, must apply strong cryptography using an appropriate cipher suite to implement a secure key exchange algorithm, strong cryptography, and an appropriate message authentication for strong cryptography and security protocols.” Notably, there are a few critical areas within the PCI DSS where the use of strong cryptography using TLS comes into play:

Requirement 2.3: Encrypt all non-console administrative access to systems in-scope for a PCI DSS assessment using strong cryptography. This includes non-console connections to systems over Remote Desktop Protocol, SSH, as well as any web-based administrative consoles (which could use TLS v1.1).
Requirement 4.1: Use strong cryptography and security protocols when transmitting sensitive cardholder data over open, public networks.
Requirement 8.2.1: Use strong cryptography to render all authentications credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

What Should I Do Next?

While the PCI SSC has not specifically commented on the deprecation of TLS v1.1, they have reiterated the guidance provided in FAQ #1491 mentioned above. Entities planning for their annual PCI assessment should begin taking steps immediately to determine where TLS v1.1 may exist in their environments. Reviewing internal and external vulnerability scan reports is a good starting point, since the protocol should now start flagging as a high or critical finding. Not only will the scans identify already known instances of TLS v1.1, but they should also identify any instances that may have not been previously known. Once identified, organizations can then start developing a path forward, including removing cases of TLS v1.1 where possible, or implementing an appropriate compensating control for those that may require additional time to resolve. Consider checking with your assessor on whether the compensating control being considered is likely to be acceptable for your assessment.

Some might say the writing has been on the wall since August 29, 2019, when NIST published SP 800-52 Rev. 2, Guidelines for TLS Implementations. Be that as it may, efforts should be made to remove deprecated protocols, including TLS v1.1, as soon as possible to ensure that the security of the cardholder data environment is not impacted. As cryptographic protocols continue to evolve, entities should continue to review industry standards and best practices regarding such while monitoring for new vulnerabilities to existing protocols.

About the Author

Jeff Lasker is a Manager at Schellman & Company, LLC. Jeff began his professional career in 2007 while working as an IT auditor for one of the Big 4 accounting firms. Jeff executed several critical projects for clients in the areas of IT systems controls, Service Organization Controls (SOC) reporting projects, and Sarbanes-Oxley compliance. Jeff joined Schellman & Company, LLC in 2008 and is now dedicated exclusively to providing Payment Card Industry (PCI) services to clients. To date, Jeff has provided services to clients in the financial services, governmental, human resources, information technology, insurance, and manufacturing industries, among others. Jeff has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies.
More Content by Jeff Lasker

How Much Will Your Audit Cost?

It All Starts with Defining Scope and Customer Commitment So your customer (or sales rep) told ...

PCI Secure SLC v1.1 - Updates and Benefits to SSF

Schellman's Joe O'Donnell provides an overview of the newly released PCI SSLC Standard 1.1

Return to Home

Stay up to date and discover new insights into compliance through our team’s thought leadership

TLS v1.1 Deprecation

What Should I Do Next?

About the Author

Previous Article

Next Article

TLS v1.1 Deprecation

What Should I Do Next?

About the Author

Previous Article

Next Article

Most Recent Articles

In February 2023, the OCR reported recent HIPAA issues & breaches to Congress—we break down the details so you can understand where other organizations fell short and avoid similar pitfalls.

For those operating in the federal space, we break down 4 commonly referenced NIST Special Publications in 800-34, 800-61, 800-63, and 800-218, including what they address and how.

Schellman welcomes Matt Goodrich as our new Head of Transformation. His expertise and vision will be instrumental in helping us drive further growth.

Becoming PCI DSS compliant is a complex process. We walk you through the first steps in determining what you need, as well as the steps for completing an assessment so that you know what to expect.

Considering a HIPAA assessment? Whether you choose to perform it internally or engage an independent third party, we share 7 steps to focus your preparation and boost your compliance.

Having already assessed organizations against the new PCI DSS v4.0, we're publishing the insight gained to help you understand more of what's coming and boost your preparation for the new standard.

With the release of the Biden Administration's new cybersecurity strategy in March 2023, cybersecurity has become an American priority. We break down the details, as well as how you can prepare.

Not sure what you're getting into with HITRUST certification? We break down the complete process into 4 steps so you can know what to expect and how to get from start to finish.

Schellman welcomes Michael Parisi as our new Head of Client Acquisition to assist as an integral part of our proactive growth initiatives.

PCI DSS v4.0 is a big shift for everyone involved in payment transactions, but we explain what and why those specifically in the banking industry should take a closer look at the updated standard.

Considering a FedRAMP Moderate Assessment? We break down what to expect from the process, the elements that will be evaluated, and specific areas to take care of so you can streamline your experience.

Defining the secure exchange of data is critical for PCI DSS compliance. To help you do that more easily, we break down all the elements, which ones are stronger than others, & how they work together.

Wondering how a web application penetration test actually works? We overview the 4 steps of our process so that you can know what to expect from your engagement.

With the debut of HITRUST CSF v11, it's important to know the dates for the phase-out of previous versions. We break down how it'll work for the i1 & r2 assessments so your transition goes smoothly.

With the debut of the Cloud Italy Strategy, cloud service providers may need to adhere to the new requirements. We break these down so that you can more easily jumpstart your compliance.

Internal audit teams can be big boons to an organization, but they're not always an option. We explain the benefits of these teams as well as an alternative to pursue for similar efficiency yields.

Now that HITRUST has released a new version of CSF, we explain what changes and updates have been made to your HITRUST assessment options in version 11. “New year, new me!”

Understand the true depth of the role management plays in a potential ISO 27001 certification, as laid out in clauses 5 & 9.3, so that you can better set expectations with leadership at your firm.

Current pace of software releases making it difficult to remain compliant with change management requirements? Learn how branch protection can help you in this & keep your software development secure.

Looking for insight on where to draw the boundaries of your ISMS? We break down the scoping clauses of the ISO 27001 standard so that you have a starting point regarding what needs to be included.