Reply
Posts: 283
Topics: 5
Kudos: 20
Blog Posts: 5
Ideas: 0
Solutions: 19
Registered: ‎11-09-2011

Update Regarding TLS Remediation and PCI DSS

[ Edited ]

As you are probably aware, the PCI Security Standards Council announced in December 2015 that its deadline for remediating existing TLS 1.0 standards has been moved to June 2018. (Source 1, Source 2)

 

To protect cardholders, merchants, solution providers, and the payment card industry at large, Authorize.Net still strongly encourages merchants to upgrade their connections to use TLS 1.2 exclusively, at the earliest possibility.

 

We had originally set a goal to have our merchants and partners migrated to TLS 1.2 by early 2017, and had previously announced this date to all. However, we recognize the challenges in upgrading existing infrastructure to meet this  deadline.

 

Therefore, at this time, Authorize.Net has chosen not to enforce the early 2017 deadline.

 

Aside from the June 2018 date given by the PCI Security Standards Council, we do not currently have a deadline set for TLS remediation. TLS 1.0 and greater remain available for both Production and Sandbox environments.

 

Please note, the deadline only applies to existing legacy servers, platforms, and solutions. PCI DSS 3.1 still requires all new servers, platforms, and solutions to support TLS 1.2.

 

Our recommendation is that legacy solutions that still use TLS 1.0 should be updated as soon as possible to support TLS 1.2 as the preferred connection.

 

We are currently discussing whether and when to set dates for Sandbox disablement of TLS 1.0 and TLS 1.1, and we will make an announcement once a formal plan has been created.