Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deadline for Better Encryption on Payment Systems Pushed Back Two Years (pcisecuritystandards.org)

Posted by samzenpus on from the we'll-get-to-it-later dept.

An anonymous reader writes: The Payment Card Industry Security Standards Council (PCI SSC) has announced (PDF) that it will push back the mandatory implementation of TLS 1.1+ encryption, over the very insecure SSL 3.0 and TLS 1.0 protocols, subject to POODLE attacks. PCI SSC cites "complications" that may come from dealing with EMV chip&PIN cards in the US, the new mobile payment platforms, and browser upgrades for the insecure SHA-1 algorithm.

3 of 91 comments (clear)

  1. Translation: PCI is now meaningless rubber stamp by rubycodez · · Score: 3, Insightful

    Choosing convenience over security with continuing to allow known weak and broken ciphers, PCI just lost all credibility. May as well dissolve it.

  2. Is it possible to fuck this up worse? by PvtVoid · · Score: 4, Insightful

    I got my EMV card from my bank, which is one of the few that is actually implementing the cards with a PIN. (Hooray for my bank!)

    Guess what? I have found exactly one store where it works: Target. Every other store I've been to, every one, still uses the mag stripe and a signature, with the exception of Rite-Aid where they couldn't accept my card at all and I paid cash. Store personnel are whinging to high heaven about how horrible EMV cards are, how this will never work, how it's totally unreasonable of the banks to force this on them, etc. etc.

    Go to Europe? It's been working seamlessly for twenty years now. Why the fuck are Americans so fucking stupid?

    1. Re:Is it possible to fuck this up worse? by taustin · · Score: 2, Insightful

      National retailers who do their own software, like Target (who had a hell of an incentive) and Home Depot (who also had a hell of an incentive) are ahead of the curve. Anybody who relies on software vendors for their processing software is at said company's mercy, and the software companies (who end up on the hook for any expensive mistakes) are very cautious. Our vendor didn't like the beta testing, and decided to not throw us in to the Christmas season with software they weren't confident in. We did not disagree.

      There is no difference to the consumer. Their protections are legal, not technical (and if you believe otherwise, you probably need a more honest bank). The only difference is some liability on disputed transactions shifts from the merchant service or card holder's bank to the merchant, and if the merchant is at all competent, that's a small difference.

      The reason it was easier in Europe was that fewer people have credit cards there, and it cost less. When the terminals cost the better part of a grand apiece, it's a huge expense to change them out. That, and inertia, and a certain amount of stupidity.