The Payment Card Industry Security Standards Council released its 3.1 update to the industry's data security standards April 15 to address the payment data vulnerabilities of the Secure Sockets Layer encryption protocol.
Payment processors and security vendors have been spreading the word to e-commerce merchants the past few months that a change in the encryption method used with websites was forthcoming.
The change calls for merchants with an online presence to deploy a more secure version of Transport Layer Security. Recent browser attacks through malware with names such as Poodle and Beast have exposed flaws in SSL and earlier versions of TLS, the PCI council stated in a press release.
SSL and early TLS versions will not be considered sufficient security controls after June 30, 2016. Prior to that date, security implementations that use SSL or early TLS must have a formal risk mitigation and migration plan in place, PCI said.
Point of sale terminals that security assessors can verify as not being susceptible to all known weaknesses of SSL or TLS may continue using those protocols after June 2016.
Version 3.1 takes effect immediately, while the current PCI data security standard 3.0 will be retired on June 30, 2015, PCI said.
"We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data," PCI Council general manager Stephen W. Orfei said in the release.