SSL Update

“The report of my death was an exaggeration.” – Mark Twain

Today the PCI SSC announced that SSL and “early TLS” (whatever that means) will not truly die until July 1, 2016. This will allow a transition period for all of you stuck with vendor baked-in SSL as well as the procrastinators amongst us to get converted to TLS 1.2. I say TLS 1.2 because if you are going to convert, you really should go to the most current version and not just with whatever will get you by.

The complete summary of PCI DSS v3.1 changes can be found here.

UPDATE: Late on Wednesday, April 15, the PCI SSC released v3.1 of the PCI DSS. The Council uses NIST SP800-52 rev1 as the definition of “early TLS”. You can get a copy of the new version of the PCI DSS here.


3 Responses to “SSL Update”

  1. 1 Simon
    April 16, 2015 at 3:15 AM

    The press release contained a footnote for “early¹ TLS”: ¹ TLS version 1.0 and in some cases 1.1 – see PCI SSC Information Supplement: Migrating from SSL and Early TLS. This document and the revised DSS are now available from the SSC site. With “in some cases 1.1” the only safe option is to migrate to TLS 1.2 (or higher, TLS 1.3 is currently in draft status).

  2. 2 ErikR
    April 16, 2015 at 1:23 AM

    Apparently NIST SP 800-52 rev 1 is supposed to clarify what configurations of TLS1.1 are acceptable.

    I think that if an entity wants to use TLS 1.1 they’d better be able to give a very good technical explanation of how it meets the PCI requirements…

  3. 3 Jonata Pregliasco
    April 15, 2015 at 4:08 AM

    I had the very same thought when the notifition arrived to my mailbox. “Early”? C’mon. It seems these people puts more efforts in getting ambiguous than issuin clear guidelines and requirements to overcome security risks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

April 2015

%d bloggers like this: