By Ed Leavens • December 28, 2015

PCI DSS pushes back the date for 3.1 compliance

Is the focus really on security and privacy? Or is PCI Compliance just a check box? You be the judge.

PCI DSS releases updated standards every 2 years. PCI DSS 2.0 was released in January 2013 and PCI DSS 3.0 was released in January 2015. Nobody expected a new standard until January 2017.

However, just 3 months later in April 2015, the PCI counsel released an unexpected, emergency PCI DSS 3.1 update, designed to address the fact that SSL and early TLS (1.0 and 1.1) are susceptible to many known vulnerabilities for which there are no fixes and are no longer deemed as examples of strong encryption. Despite the significant and serious nature of the situation, organizations were provided a grace period to migrate to the new secure standard until June 2016.

This month, PCI DSS announced that “following significant feedback from the global PCI community”, the migration deadline was being pushed back to June 2018. The PCI counsel stated that early market feedback told them migration to the more secure encryption standard would be technically simple, however, 'many unexpected issues surfaced with merchants and payment processors'. Stephen Orfei, General Manager at PCI Security Standards Council - PCI Security Standards Council, stated “We want merchants protected against data theft but not at the expense of turning away business. We’re working very hard with representatives from every part of the ecosystem to make sure it happens before the bad guys break in”.

As a comparative, in the software world, organizations such as Google, Facebook and CloudFlare are trying to accelerate the retirement of older and increasingly vulnerable protocols. Microsoft, one of the biggest software companies in the world, has stopped providing support, updates, or bug fixes—not even for critical security flaws – for products such as XP and IE6.

Do the software companies know something that the payment ecosystem is missing?