Today, the PCI SSC announced an update to the deadlines to remove insecure cryptographic protocols, namely SSL and early TLS (i.e., TLS 1.0). The original publication required disabling these protocols and replacing them with current versions of TLS by June 30, 2016, but today’s announcement extends this deadline to June 30, 2018.
PCI SSC still recommends migrating to secure versions of these protocols as soon as possible, in order to mitigate the risk of vulnerabilities such as the POODLE attack, and still only allows the use of these insecure protocols for existing implementations and only with a risk mitigation and migration plan, but for those with long lead times to effect this transition, this schedule change allows for more time to do so.
Please contact us for any questions about SSL and TLS as it relates to PCI DSS compliance or for other PCI DSS compliance questions.
About the Author
Jacob Ansari is a Manager at Schellman. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.More Content by Jacob Ansari