PCI's Required TLS Update for Compliant Sites Is Rapidly Approaching

May 2, 2018 Tim Callan Alerts & Notices

In 2015 the Payment Card Industry (PCI) Security Standards Council set a June 30, 2018 deadline for entities accepting credit card payments to deprecate support for all versions of SSL/TLS prior to TLS 1.1.  The reasons for this requirement are a variety of security vulnerabilities (including certain flavors of man-in-the-middle and downgrade attacks) that are possible using these older communications protocols.  As of June 30 anyone receiving credit card payments needs to discontinue support for TLS (Transport Layer Security) 1.0 or any version of the SSL standard or fail compliance with PCI-DSS.  TLS versions 1.1 and later are permitted, although the PCI Security Standards Council strongly recommends requiring TLS 1.2 or greater.

The PCI Security Standards Council moved this deadline out from its original 2016 date after it became clear that the market needed more time to ensure that the wholesale migration away from previously ubiquitous standards wouldn't endanger critical systems across a broad array of business and societal functions.  Now the revised deadline is just over two months away, and this time it's solid.

Those who fail to follow this requirement run the risk of fines from the PCI Security Standards Council.  So if you haven't yet dealt with this requirement, we recommend viewing it as a high priority.  If you're using a third-party hosting provider, public cloud service, or CDN, it is highly likely that your provider already has taken care of this requirement.  (Feel free to contact them and confirm that, however.)  If you're running your own servers and systems, you will have to disable support for TLS 1.0 and SSL on your servers.  TLS 1.1 was released all the way back in April 2006, so for any reasonable use case you should be able to disable older support without meaningful negative consequences.  As TLS 1.2 was defined all the way back in 2008, it is also a very reasonable position if you decide to require TLS 1.2 or TLS 1.3.

Note that your actual SSL certificates require no change.  Even certificates you obtained and installed more than a year ago will work perfectly with these standards, and you can use your existing certificates without reissuance or replacement even if you reconfigure your servers with stricter TLS requirements.