The PCI Council, the standards body that dictates the rules for payment card (like Mastercard and Visa) merchants and service providers last year released a directive that everyone had to upgrade their software and eliminate SSL 3.0 and TLS 1.0 in favor of newer versions – TLS 1.1 and 1.2. The reason was that there are known security holes in those versions of software that are UNFIXABLE – they cannot be patched. They set a deadline of over a year from when they released the directive for people to fix the problem.
Large organizations apparently complained that they have implemented a bit of a rat’s nest (no big surprise) and with everything else on their plate, they were not going to be able to get to fixing the broken SSL implementations.
As a result, the PCI Council changed the deadline from June 2016 to June 2018 – three years from the original directive.
One thing that is important to understand is that just because the PCI Council changed the date by which, if you have not upgraded, that you will be in violation of your merchant agreement with your bank, you are not relieved of liability in case of a breach.
In fact, I assume that plaintiff’s counsel will be asking if a breached merchant was still running a known vulnerable version of encryption at the time the breach occurred. One would assume that this would not work to the merchant’s advantage at trial or in settlement negotiations.
Given this announcement, I expect that the hacking enterprises (like China, Russia and Ukraine, for example) will be looking for enterprises that have not upgraded their encryption software and specifically target them. Given that there are known attacks, that makes these businesses an easy target.
What I am suggesting here is that even though the PCI Council has granted an extension, businesses should not delay their encryption upgrade projects.
The payment card industry, as a whole, spends tens of BILLIONS of dollars a year on payment card fraud. A 2011 Forbes article says that the industry loses $190 billion a year to credit card fraud. Even if Forbes has the number wrong by a factor of 2 or 3 too high, that is still a huge number. That cost is reflected in higher prices and fees that customers – consumers and businesses pay. By delaying the fix to encryption by two more years, the PCI Council is guaranteeing that the fraud costs will rise over that period and possibly significantly.