Deadline for Better Encryption on Payment Systems Pushed Back Two Years

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://news.softpedia.com/news/deadline-for-better-encryption-on-payment-systems-pushed-back-by-2-years-497913.shtml

The Payment Card Industry Security Standards Council (PCI SSC) has
announced that it has pushed back the mandatory migration date for TLS 1.1
encryption or higher for organizations that process online or offline
payments.

In April 2015, the PCI SSC group informed us that all organizations that
handled any type of payment information must do so by using better-quality
encryption, meaning TLS 1.1 or higher. In a press release at the time, PCI
SSC said that all organizations must migrate to TLS 1.1+ by June 2016.

As the same group is now explaining, some technical difficulties have been
observed, which has forced them to push back the date to June 2018.

Banking industry is a little busy right now, needs more time

"Early market feedback told us migration to more secure encryption would be
technically simple, and it was, but in the field a lot of business issues
surfaced as we continued dialog with merchants, payment processors and
banks," states Stephen Orfei, General Manager, PCI SSC. "We want merchants
protected against data theft but not at the expense of turning away
business, so we changed the date."

PCI SSC says that payment operators felt overwhelmed this year by the
rising need to protect mobile payments, the introduction of EMV (chip & PIN
cards) in the US, and the SHA-1 browser update process that was accelerated
by researchers who managed tocrack the algorithm.

All of these added a new level of complexity that would have resulted in
unwanted complications that, in turn, would have led to implementation
errors, Mr. Orfei argues.

For this reason, PCI SSC is now giving businesses more time to move away
from insecure SSL 3.0 and TLS 1.0 implementations.

Reason for TLS 1.1+ upgrade: SSL 3.0 and TLS 1.0 deemed vulnerable,
unfixable

The reason behind this "TLS 1.1+ or higher policy" is a NIST announcement
from April 2014 that said that "SSL 3.0 is not approved for use in the
protection of Federal information" due to the POODLE exploit, for which
there are no fixes.

The same POODLE exploit could be launched against TLS 1.1 and 1.2 encrypted
systems, but researchers showed that, in those cases, implementation errors
were at fault and not the TLS 1.1/1.2 protocol itself.

In spite of the deadline being pushed back, PCI SSC still encourages
organizations to upgrade as soon as possible to better encryption on their
systems, just to avoid any complications and system breaches.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!