The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for mandatory migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS).
Earlier this year, the council decided the time to make the final cutover was June 2016. Now the council says it's just too hard for retailers to make the jump and they'll be excused a move off SSL and to at least TLS 1.1, until June 2018.
But there are exceptions: some "point of interaction" terminals known not to be susceptible to bugs plaguing SSL and early versions of TLS will be permitted beyond 2018. The new ruling also tightens things up, for the first time insisting "Acquirers, Processors, Gateways and Service Providers" provide TLS 1.1 (and preferably 1.2) by June 2016.
The canned statement (PDF) about the moratorium, issued deep into Friday US time, features the council's general manager Stephen Orfei saying migration was expected to be simple, “but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks.”
Orfei laid some of the blame at the feet of mobile devices, saying that retailers' efforts to secure transactions made on smartphones and fondleslabs, on top of “encryption, the SHA-1 browser upgrade and EMV in the US” together make for so much work that the SSL death deadline can't be met.
“We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in,” Orfei says.
The world will therefore have to bumble along with known-to-be imperfect encryption for two years longer than planned, a period during which The Register imagines "the bad guys" will do their very best take advantage of weak encryption.
The new migration deadline will be formalised in the next version of the PCI DSS standard, due in April 2016. ®