Our plan for migrating to TLS 1.2
When many of us hear the term SSL, we immediately think of encryption and safety. However, 2014 was not a good year for SSL. When the POODLE and Heartbleed vulnerabilities were discovered in all versions of SSL, researchers realized there was no way to remediate them.
It was discovered that the best way to respond to the risk of SSL vulnerabilities was to switch from using SSL and early versions of TLS to using a stronger protocol like TLS v1.2. Following this discovery, the PCI (Payment Card Industry) Security Standards Council, who define the Data Security Standards for online merchants, released PCI DSS v3.1. It requires that SSL or early TLS versions not be used as a security control after June 30, 2016.
However, in December 2015, the PCI Council announced that they have extended the deadline to June 30, 2018. The reason for this date change was the feedback they got from different merchants. In fact there are still many web visitors who use browsers that only support SSL and early versions of TLS. If the support for these browsers is discontinued, those visitors would no longer be able to purchase from those merchants.
The June 30 2018 deadline only applies to entities with an existing dependency on SSL and early TLS versions; any new implementation must be enabled with TLS 1.1 or greater. Also, all third-party entities must provide an option of TLS 1.1 or greater to their customers, by June 30, 2016.
Consistent with these requirements, Instart Logic will
- By June 30, 2016: provide all customers with an option to transition to using TLS 1.2
- By June 30, 2018: disable TLS 1.0 and 1.1 and migrate all PCI customers to TLS 1.2
Please reach out to us if you have any questions about Instart Logic’s PCI offering.