It was exactly two years ago today when I received this bulletin. I remember it was Friday morning, and I forwarded immediately to the team who had been working on the fixes based on the looming deadline. We had to change priorities and moved resources to work on it. We were working with our partners and evaluating options and patches and see if we can mitigate the risks associated with SSL and TLS 1.0. It was hectic, and we were educating customer-facing teams and communicating with customers. If you are in the payment industry, you know the impact.
Here is the summary of the impact and the reason the data was delayed. You can get the full details from here.
- The migration completion date was extended to June 30, 2018.
- The original completion date was June 30, 2016.
- There are significant cost and efforts required to migrate to more secure protocols. The original time released in PCI DSSS 3.1 was not sufficient for all players in the industry to be ready.
2018 is right around the corner. Six (6) months is a short duration. It will be interesting to see the statistics prior to June 30, 2018. The cost and effort migrating to the latest TLS version is huge; yet without migrating, the cost of potential breaches is even worse.
So, any organizations developing, integrating and maintaining payment solutions need to be a constant lookout for the latest development in the industry, and be vigilant of applying the latest patches and adopting the more robust solutions if possible.