The PCI DSS deadline for any firm that processes payments to migrate to TLS 1.1 encryption or higher has gone back to June 2018.
The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016, the US-based council says.
Stephen Orfei, General Manager, PCI SSC, said: “Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialogue with merchants, payment processors and banks. We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, specially when you think about how much more business is done today on mobile devices around the world.”
Some background
The PCI DSS stands for Payment Card Industry Data Security Standard. Founding members were American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The PCI Security Standards Council requires retailers and others who take payments by plastic card to secure cardholder data where it is captured at the point of sale and as it flows into the payment system. Visit https://www.pcisecuritystandards.org.
About TLS
The Transport Layer Security (TLS) protocol, Secure Sockets Layer (SSL) protocol, versions 2.0 and 3.0, and the Private Communications Transport (PCT) protocol are based on public key cryptography. In the authentication process, a TLS/SSL client sends a message to a TLS/SSL server, and the server responds with the information that the server needs to authenticate itself. This dates from the early days of the world wide web, for secure transactions.
