Security industry too busy improving security to do security right

[Batu69]

PCI Council delays SSL abandonment date to 2018, so cruddy credit crypto continues

 

The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for migration from Secure Sockets Layer (SSL) to Transport Layer Security (SSL).

Earlier this year, the Council decided the time to make the change was June 2016, a reasonable idea given that SSL gave the world the Heartbleed, Shellshock and Poodle vulnerabilities.

 

Now the Council says it's just too hard for retailers to make the jump.

The canned statement (PDF) about the moratorium, issued deep into Friday US time, features the Council's general manager Stephen Orfei saying migration was expected to be simple, “but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks.”

 

Orfei laid some of the blame at the feet of mobile devices, saying that retailers' efforts to secure transactions made on smartphones and fondleslabs, on top of “encryption, the SHA-1 browser upgrade and EMV in the US” together make for so much work that the SSL death deadline can't be met.

“We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in,” Orfei says.

 

The world will therefore have to bumble along with known-to-be imperfect encryption for two years longer than planned, a period during which The Register imagines "the bad guys" will do their very best take advantage of weak encryption.

The new migration deadline will be formalised in the next version of the PCI DSS standard, due in April 2016.

Article source