According to the latest news in the SSL industry, the new PCI DSS 3.2 version will be released this Spring. Initially, its scheduled release date was in Fall. The PCI Security Standards Council revised the release date to include the extended period of the SSL 3.0/TLS 1.0 migration due to the existing expanding threat landscape.
The current version of PCI DSS 3.1 was first to introduce the strict guidelines which address the migration from SSL 3.0 and TLS 1.0. According to it, these two protocols should “no longer be used as a security control after June 30th 2016”. This means that until the established date, all website owners processing cardholder data should disable these protocol versions in order to be in compliance with the new requirements. But, the PCI Security Standards Council changed this date in their “Bulletin on Migrating from SSL and Early TLS” from December 2015, by extending the period until the 30th of June 2018. This revision is the result of an extensive marketplace feedback from the PCI DSS members. However, the Council strongly expressed that waiting until 2018 is not recommended. The new deadline will be included in the PCI DSS 3.2, aimed to be published in March or April, 2016.
Improving website security
According to the bulletin, in November 2015, over 67% of the surveyed websites had inadequate security. This means that these websites are exposed to high-profile cyber attacks such as “POODLE”, “FREAK”, “BEAST”, “CRIME” or “Heartbleed”, which exploit the weaknesses of the SSL 3.0 and TLS 1.0 protocols, released in the early 1990s. These cyber attacks allow hackers to perform “man-in-the-middle attacks”, through which they can easily decrypt sensitive cardholder data, or steal long-lived cryptographic keys. The vulnerabilities of the SSL 3.0 and TLS 1.0 protocols can not be fixed. This is why the PCI DSS imposes the migration to the latest version of the TLS protocols: TLS 1.1 and TLS 1.2, which were released in 2006 and 2008.
After Google discovered the POODLE vulnerability, several measures of protection have been taken in order to increase the websites’ security. First of all, the newest versions of the most popular browsers don’t support SSL 3.0 anymore. Second, all webmasters have been advised to disable the SSL 3.0 and TLS 1.0 options from their server. Once these options are disabled, the SSL certificate will protect the connection by using only the newest versions of the TLS protocol.
Even if the new requirements of the PCI DSS 3.2 directly addresses only website owners that deal with cardholder, payment, personal or administrative records, the recommendation of migrating to TLS 1.2 shall refer to all webmasters. The number of data breaches is constantly increasing and you should not risk the online security and reputation of your business by using outdated encryption protocols. The available SSL certificates support all protocols, so don’t hesitate to protect your website by updating to TLS 1.2.