The Payment Card Industry Security Standards Council (PCI SSC) has announced that it has pushed back the mandatory migration date for TLS 1.1 encryption or higher for organizations that process online or offline payments.

In April 2015, the PCI SSC group informed us that all organizations that handled any type of payment information must do so by using better-quality encryption, meaning TLS 1.1 or higher. In a press release at the time, PCI SSC said that all organizations must migrate to TLS 1.1+ by June 2016.

As the same group is now explaining, some technical difficulties have been observed, which has forced them to push back the date to June 2018.

Banking industry is a little busy right now, needs more time

"Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks," states Stephen Orfei, General Manager, PCI SSC. "We want merchants protected against data theft but not at the expense of turning away business, so we changed the date."

PCI SSC says that payment operators felt overwhelmed this year by the rising need to protect mobile payments, the introduction of EMV (chip & PIN cards) in the US, and the SHA-1 browser update process that was accelerated by researchers who managed to crack the algorithm.

All of these added a new level of complexity that would have resulted in unwanted complications that, in turn, would have led to implementation errors, Mr. Orfei argues.

For this reason, PCI SSC is now giving businesses more time to move away from insecure SSL 3.0 and TLS 1.0 implementations.

Reason for TLS 1.1+ upgrade: SSL 3.0 and TLS 1.0 deemed vulnerable, unfixable

The reason behind this "TLS 1.1+ or higher policy" is a NIST announcement from April 2014 that said that "SSL 3.0 is not approved for use in the protection of Federal information" due to the POODLE exploit, for which there are no fixes.

The same POODLE exploit could be launched against TLS 1.1 and 1.2 encrypted systems, but researchers showed that, in those cases, implementation errors were at fault and not the TLS 1.1/1.2 protocol itself.

In spite of the deadline being pushed back, PCI SSC still encourages organizations to upgrade as soon as possible to better encryption on their systems, just to avoid any complications and system breaches.