In brief - SSL (Secure Socket Layer) and Transport Layer Security (TLS) have long been the cryptographic protocols used to secure conversations between two systems (i.e. the web server and web browser – Chrome, Safari, IE, etc.). In general terms, SSL and TLS encrypts the credit card and customer information that is passed between the server and browser to keep it secure and private. SSL has not been considered secure as of 2014. TLS was released in 1999 and has replaced SSL as the standard for encrypting data sent across the web.
On the other side of the scope, as POIs may not be as susceptible to the same known vulnerabilities as browser-based systems, after June 30th 2018 POI devices (and the termination that points to which they connect), which can be verified as not being susceptible to any of the known exploits for SSL and early versions of TLS may continue to use SSL /early TLS. If SSL/early TLS is used, the POIs and their termination points must have up-to-date patches and ensure only the necessary extensions are enabled. In addition, use of weak cipher suites or unapproved algorithms – e.g., RC4, MD5, and others – is not allowed.
What can organizations do to protect themselves against SSL and early TLS vulnerabilities? Consider the points below:
- Migrate to a minimum of TLS 1.1, preferably TLS 1.2.
- Patch TLS software against implementation vulnerabilities.
- Configure TLS securely.
- Use PCI SSC resources, including detailed guidance, a webinar and a number of FAQs.