Transport Layer Security (TLS) and the widely used technology that came before it, Secure Sockets Layer (SSL), are cryptographic protocols that are meant to ensure the safe and secure transmission of data over a network. The protocols are used regularly in your day to day, from emails, to web browsing to your use of online applications. They are also responsible to protect customers' data when an online transaction is completed or simply while submitting a form online.

pci-ssc-deadline-migration-ssl-and-early-tls

In fact, as a Merchant that deals with some form of cardholder data it is very likely that you will have come across the terms TLS and SSL as part of your PCI DSS.

PCI DSS version 3.0 requirement 4.1 states that you must:

"use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.”

However, last year, PCI DSS 3.1 was released, aiming to address the vulnerabilities of SSL and early TLS (TLS version 1.0) that have been discovered over the last 20 years.

The PCI SSC (Payment Card Industry Security Standards Council) notes that the vulnerabilities are serious, pointing to high profile breaches being caused by POODLE, Heartbleed and Freak, which were in turn only possible as a result of those vulnerabilities with SSL and early TLS. Initially, with PCI DSS 3.1, merchants were given up until June 2016 to migrate from SSL and early TLS protocols to TLS 1.1 or higher (TLS 1.2 is specifically recommended) in order to stay compliant but this has now changed with the council extended the date.

More time to migrate from SSL and early TLS

After rolling out PCI DSS 3.1 in April 2015, giving people just over a year to migrate, the council explains that "during the implementation period of PCI DSS 3.1, PCI SSC continued to seek feedback from the market, and has now revised and updated sunset dates" which is why the deadline is now June 2018.

While June 2018 may seem like a long way away, the PCI SSC doesn't suggest that you put off the migration any longer. In an article from December 2015, the council outlines some of the risks of these vulnerabilities, for example "many of the attacks, particularly protocol vulnerabilities, allow for Man-in-the-Middle attacks allowing an attacker to decrypt sensitive information" and "in some of the most serious cases, vulnerabilities could allow an attack to steal long-lived cryptographic keys" both of which could be disastrous for your business.

A basic guide to migrate to TLS 1.2

The PCI SSC offers this handy checklist on where to begin the migration process:

  • Identify all system components and data flows relying on and/or supporting the vulnerable protocols;
  • For each system component or data flow, identify the business and/or technical need for using the vulnerable protocol;
  • Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need;
  • Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented;
  • Document a migration project plan outlining steps and timeframes for updates;
  • Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment;
  • Perform migrations and follow change control procedures to ensure system updates are tested and authorized;
  • Update system configuration standards as migrations to new protocols are completed;

It is important to build a communications element into migration planning; consider how much leg work it will take to get agreement on changing.

The council also offers recommendations for payment terminals that use SSL or early TLS for encryption, saying that terminals that "can be verified as not being susceptible to any of the known exploits for SSL and early versions of TLS may continue to use SSL / early TLS".

However, in order to verify them as 'not susceptible', you should contact the terminal vendors or knowledgeable security professionals (such as Advantio). Additionally "new threats and risks must continue to be managed in accordance with applicable PCI DSS Requirements, such as 6.1, 6.2, and 11.2.".

Moreover, the Council stresses that it is "always important to focus on security and keep track of new vulnerabilities", in case of a new attack on the current version of TLS. The Council also suggests putting together a risk and mitigation plan which details "how an entity will address the migration to a secure protocol, including the controls in place to reduce risk associated with SSL and early TLS, until their migration is complete", e.g how many/what type of systems use the protocols.

Though this risk and mitigation plan will need to be provided to your PCI DSS compliance assessor during your assessment and they can check back in and see your progress ahead of the June 2018 migration deadline.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.