“The report of my death was an exaggeration.” – Mark Twain
Today the PCI SSC announced that SSL and “early TLS” (whatever that means) will not truly die until July 1, 2016. This will allow a transition period for all of you stuck with vendor baked-in SSL as well as the procrastinators amongst us to get converted to TLS 1.2. I say TLS 1.2 because if you are going to convert, you really should go to the most current version and not just with whatever will get you by.
The complete summary of PCI DSS v3.1 changes can be found here.
UPDATE: Late on Wednesday, April 15, the PCI SSC released v3.1 of the PCI DSS. The Council uses NIST SP800-52 rev1 as the definition of “early TLS”. You can get a copy of the new version of the PCI DSS here.
Advertisements
The press release contained a footnote for “early¹ TLS”: ¹ TLS version 1.0 and in some cases 1.1 – see PCI SSC Information Supplement: Migrating from SSL and Early TLS. This document and the revised DSS are now available from the SSC site. With “in some cases 1.1” the only safe option is to migrate to TLS 1.2 (or higher, TLS 1.3 is currently in draft status).
Apparently NIST SP 800-52 rev 1 is supposed to clarify what configurations of TLS1.1 are acceptable.
I think that if an entity wants to use TLS 1.1 they’d better be able to give a very good technical explanation of how it meets the PCI requirements…
I had the very same thought when the notifition arrived to my mailbox. “Early”? C’mon. It seems these people puts more efforts in getting ambiguous than issuin clear guidelines and requirements to overcome security risks.