SSL Update

“The report of my death was an exaggeration.” – Mark Twain

Today the PCI SSC announced that SSL and “early TLS” (whatever that means) will not truly die until July 1, 2016. This will allow a transition period for all of you stuck with vendor baked-in SSL as well as the procrastinators amongst us to get converted to TLS 1.2. I say TLS 1.2 because if you are going to convert, you really should go to the most current version and not just with whatever will get you by.

The complete summary of PCI DSS v3.1 changes can be found here.

UPDATE: Late on Wednesday, April 15, the PCI SSC released v3.1 of the PCI DSS. The Council uses NIST SP800-52 rev1 as the definition of “early TLS”. You can get a copy of the new version of the PCI DSS here.


3 Responses to “SSL Update”

  1. 1 Simon
    April 16, 2015 at 3:15 AM

    The press release contained a footnote for “early¹ TLS”: ¹ TLS version 1.0 and in some cases 1.1 – see PCI SSC Information Supplement: Migrating from SSL and Early TLS. This document and the revised DSS are now available from the SSC site. With “in some cases 1.1” the only safe option is to migrate to TLS 1.2 (or higher, TLS 1.3 is currently in draft status).

  2. 2 ErikR
    April 16, 2015 at 1:23 AM

    Apparently NIST SP 800-52 rev 1 is supposed to clarify what configurations of TLS1.1 are acceptable.

    I think that if an entity wants to use TLS 1.1 they’d better be able to give a very good technical explanation of how it meets the PCI requirements…

  3. 3 Jonata Pregliasco
    April 15, 2015 at 4:08 AM

    I had the very same thought when the notifition arrived to my mailbox. “Early”? C’mon. It seems these people puts more efforts in getting ambiguous than issuin clear guidelines and requirements to overcome security risks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


April 2015
« Mar   May »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: