Organisations who need to be compliant with Payment Card Industry Data Security Standards (PCI DSS) version 3.1 are now getting a pardon on a key compliance measure. Originally it was detailed that organisations would need to migrate to Transport Layer Security (TLS) version 1.1 or higher by June 2016. The PCI Security Standards Council (PCI SSC) is extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS v1.0 to a secure version of TLS (currently v1.1 or higher) - Read more on the PCI SSC blog
The PCI DSS 3.1 standard was introduced in April 2015 and focuses on moving away from older versions of TLS and Secure Socket Layer (SSL) in an attempt to reduce the risk of exposure from insecure data transfer protocols. One of the key requirements in PCI DSS 3.1 is for organisations to disable the use of SSL versions 3. SSL has been determined to be cryptographically insecure by a large volume of research.
Fifteen years ago, SSL v3.0 was superseded by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. To date, SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fall back to both SSL and early TLS. SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control after June 30, 2016.