The dates published in Dec 2015 by the Payment Card Industry Security Standards Council will be included as a part of the PCI DSS 3.2 specification. More about this can be read here.
UPDATE: 18 DEC 2015
The Payment Card Industry Security Standards Council has revised their original sunset date for SSL and early versions of TLS. The revisions state:
- All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016.
- Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater. TLS 1.2 is recommended.
- All entities must cutover to use only a secure version of TLS (as defined by NIST) effective 30 June 2018.
The full announcement can be read here and an formal update to the PCI DSS v3.1 requirements will be made in 2016.
Our original KB article can be read below.
“SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control after June 30, 2016.” – PCI Security Standards Council
The newest revision of the PCI Security Standards Council policy, PCI-DSS 3.1, establishes a new baseline for strong cryptography, specifically TLS (formerly SSL), required to secure payment card related traffic – TLS 1.2.
- Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons considered insecure.
- Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
- Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
As a result of the PCI 3.1 changes, Cloudflare has implemented a transition plan to migrate traffic toward TLS 1.2 in advance of the PCI Council requirements.
1) We are monitoring browsers and traffic to track the percentage of TLS 1.0+1.1 traffic relative to the total volume of encrypted traffic. In October 2014, this traffic was approximately 30% of all encrypted traffic on Cloudflare's network. In February 2015, this traffic was less than 22% of all encrypted traffic on Cloudflare's network. In June 2017, this traffic was less than 10% of all encrypted traffic on Cloudflare's network.
2) We have implemented a "TLS 1.2-only" flag to allow sites to restrict their content to be served with TLS 1.2 protection only. This functionality is available to customers on Business and Enterprise plans only. In addition, customers are required to have custom SSL certificate.
To find out more about this, please see: How to use Cloudflare's TLS 1.2-only feature
3) We are engaging with the PCI Council and we are actively supporting enterprise customers and their auditors with PCI audit TLS related questions.
We expect the majority of encrypted web traffic will upgrade to TLS 1.2 before the 30 June 2016 deadline for PCI. We believe the level of adoption of TLS 1.2 will rapidly increase based on the new PCI guidance, and if this happens, it will be feasible for an increasing number of sites to go "TLS 1.2-only" as the 30 June 2016 deadline approaches. If the level of TLS 1.2 browser adoption is insufficient to allow customers to switch entirely to TLS 1.2-only by the deadline, we are exploring alternatives. We will release more information on TLS 1.2 adoption as well as any updates to the encryption options available to Cloudflare customers on an ongoing basis.