Why Change the TLS Migration Date?
It has been known for a while that SSL/TLS had vulnerabilities, however when POODLE first became known the PCI SSC jumped quickly to release the PCI DSS version 3.1, which stated that organizations had to migrate to TLS 1.1 or higher and disable any fallback to SSL/early TLS. Within PCI DSS version 3.1 the deadline for all these changes was June 2016 and by that time all organizations such as Acquirers, Processors, Gateways, and Service providers must have migrated to TLS 1.1 or higher. The PCI SSC rushed to release the PCI DSS version 3.1 compliance due to the SSL/early TLS vulnerability, however, now the PCI SSC has informed the public that they have pushed back the migration date to June 2018.
When the PCI SSC began to look into the migration timeline, the first initial feedback showed that from a technical perspective the migration would be simple to carry out, which is in fact the case. However, when organizations began to implement the necessary changes to move to TLS 1.1 or higher it became clear that these changes would affect the organizations’ ability to accept the new business opportunity, as well as other additional business implications that could not be afforded. Another concern was that if major international organizations don’t have enough time to migrate to the new standards before they get assessed, they will be left in a state of noncompliance. The PCI SSC understands that it takes time for all payment platforms to be up to code with TLS 1.1 or higher, so with that in mind the PCI Security Standard Council has decided to push the migration date to June 2018.
While the decision was made to push back the migration date, it was not made lightly. The PCI SSC has seen no criminal activity involving the vulnerabilities related to SSL/early TLS, giving them more confidence to push back the date which will be officially released with the PCI DSS version 3.2. However, they have also added additional guidelines that will have to be put in place by June 2016. For example, all processing and third-party entities, including Acquirers, Processor, Gateway, and Service providers must be integrated with TLS 1.1 or higher by June 2016. Organizations also need to prepare a Risk Migration and Migration Plan, that details their plans for migrating to TLS 1.1 or higher as well as describe the controls in place by the organization to reduce the risks surrounding SSL/early TLS. This plan will need to be ready and provided to their assessor as directed by the PCI DSS assessment process.
It is important to understand that the time extension doesn’t mean companies should wait to migrate to a more secure protocol. It has been extended for organizations that won’t be able to meet the original deadline. The PCI SSC urges all entities that have the ability to upgrade their encryption, to do so as soon as possible because of the extreme risks within using SSL/early TLS as well as disable all fallbacks to SSL/early TLS.