PCI SSC Updates Deadline to Remove SSL 3.0 and Early TLS

December 18, 2015

Today, the PCI SSC announced an update to the deadlines to remove insecure cryptographic protocols, namely SSL and early TLS (i.e., TLS 1.0). The original publication required disabling these protocols and replacing them with current versions of TLS by June 30, 2016, but today’s announcement extends this deadline to June 30, 2018.

PCI SSC still recommends migrating to secure versions of these protocols as soon as possible, in order to mitigate the risk of vulnerabilities such as the POODLE attack, and still only allows the use of these insecure protocols for existing implementations and only with a risk mitigation and migration plan, but for those with long lead times to effect this transition, this schedule change allows for more time to do so.

Please contact us for any questions about SSL and TLS as it relates to PCI DSS compliance or for other PCI DSS compliance questions.

Previous Article
Are You Ready For Some PCI DSS v3.2?
Are You Ready For Some PCI DSS v3.2?

Coming in April 2016, the PCI Security Standards Council (SSC) is releasing an incremental update to the PC...

Next Article
PCI SSC Explains How To Respond to a Data Breach
PCI SSC Explains How To Respond to a Data Breach

Originally published on www.iapp.org