The Payment Card Industry Security Standards Council has added two years to its deadline for organizations involved in payment processing to upgrade to a more secure Web protocol.
Organizations now have until June of 2018, rather than June 2016, to migrate from current Secure Socket Layer or early Transport Layer Security to a more secure version of TLS.
SSL and TLS operate as a protocol between a server and a client on the Web.
The PCI council spread word in April that the common SSL protocol was no longer secure because of malware attacks, calling for a more secure TLS version, 1.1 encryption or higher, for Web safety.The earlier deadline was included in the most recent version of the PCI Data Security Standard 3.1. The new deadline will be included in the next version of the PCI DSS, expected in 2016.
The council received feedback from PCI members and security experts that pointed out potential problems for businesses, many already bogged down with EMV chip migration in the U.S, in meeting the more aggressive deadline.
“Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” Stephen Orfei, general manager of the PCI Council, stated in a Dec. 18 press release.
“We want merchants protected against data theft but not at the expense of turning away business, so we changed the date."
As the global payments ecosystem has become more complex, businesses are accepting far more payments from customers using mobile devices, Orfei said.
"If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the U.S., that’s a lot to handle," he added.
The council will continue working with others in the industry to assure the extended deadline does not result in criminals taking advantage with malware attacks, Orfei added.
In addition, many payment security organizations currently serve thousands of international customers, all using different SSL and TLS configurations, Troy Leach, chief technology officer for PCI, stated in the release.
"The migration date will be changed to accommodate those companies and their clients," Leach said. "Still, we encourage all companies to migrate as soon as possible and remain vigilant."