Any organization that processes payment cards is subject to PCI DSS compliance. Any of those organizations that are still using SSL or early TLS (TLS 1.0 and in certain instances TLS 1.1) should either be panicking or setting aside huge budget amounts for compliance fines. After June 30, any terminals that use TLS 1.0 will no longer be PCI compliant and may be subject to penalties.
Published in April of 2015, PCI DSS v3.1 mandated the migration from SSL and early TLS to newer more secure versions of the protocol. The original completion deadline for this migration was June 2016, but that was extended by two years and is now June 30, 2018. The same deadline was upheld in PCI DSS v3.2, which was published in April of 2016.
According to Emma Sutcliffe, PCI SSC Senior Director of Data Security Standards, “The 30 June 2018 deadline is a very important milestone. After this date, SSL and Early TLS may no longer be used as a security control for PCI DSS, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect, as defined in PCI DSS Appendix A2.”
One of the reasons that the PCI standard may be concerned with TLS protocol versions is that new vulnerabilities are regularly found in encryption protocols. For example, SSL/TLS has had several vulnerabilities over time, such as Heartbleed, POODLE and DROWN. To reduce the chance of compromise, organizations should be using more secure protocol versions.
The good news is that a quick look at Venafi Trustnet data shows that almost all of the top retail organizations have already migrated from TLS 1.0. Those who haven’t may still be in the final stages of migration.
At this point, manual replacement will take way longer than just two days (the time left to migrate to maintain compliance). Regardless, manual remediation of vulnerable or outdated protocols is not ideal. It’s costly in terms of resources and introduces the risk of human error.
But if you happen to be one of the 1% who have waited until the last minute, there’s only one thing that could possibly help you: Automation. In particular automated machine identity protection will help you quickly locate and replace certificates based on attributes, such as TLS protocol.
Venafi offers a solution designed to help you significantly increase your visibility and apply automation to ensure a more comprehensive migration away from SSL and early TLS. Our platform uses network discovery features to quickly identify both known and unknown certificates throughout your enterprise. It then inventories and categorizes your certificates based on certificate attributes. So you can quickly see which keys and certificates are vulnerable and still need to be migrated to more secure versions of TLS.
Learn more about PCI DSS and how it may impact your certificates in our education center.