Deadline for Better Encryption on Payment Systems Pushed Back Two Years

An anonymous reader writes: The Payment Card Industry Security Standards Council (PCI SSC) has announced (PDF) that it will push back the mandatory implementation of TLS 1.1+ encryption, over the very insecure SSL 3.0 and TLS 1.0 protocols, subject to POODLE attacks. PCI SSC cites "complications" that may come from dealing with EMV chip&PIN cards in the US, the new mobile payment platforms, and browser upgrades for the insecure SHA-1 algorithm.

Not the biggest problem

[CastrTroy]

I don't see it as a huge problem simply because this is not the biggest problem that online payment systems face. The big problem isn't people sniffing transactions over the wire. This almost never happens. What typically tends to happen is that somebody breaks into the actual system that houses all the sensitive information and steals the data directly. This is much more lucrative as you can steal thousands (or tens of thousands, or even more) of credit card numbers at the same time.

Until we get to the point where online retailers aren't storing this data (in 99% of cases they don't need to), there's little reason to complain about much smaller problems such as what encryption methods are being used.

We'd be much better off with a system where we didn't even have to send our credit card numbers to the online retailer. Ideally when paying for something online, you would be redirected to your banks (or the credit card issuers) web site with information on where to direct the money. After verifying you identity, a cryptographically signed message would be sent to the recipient site so they could verify the payment was successful. There is no reason for them to every see your account number or other vital information.

Translation: PCI is now meaningless rubber stamp

[rubycodez]

Choosing convenience over security with continuing to allow known weak and broken ciphers, PCI just lost all credibility. May as well dissolve it.

Email clients are the weakest link

[stevel]

I run an e-commerce store and have to deal with PCI compliance. We don't store credit card details, but the info passes through our server. The June 30, 2016 deadline to drop TLS1.0 was a big headache, made worse by the "Trustwave" PCI checking tool (mandatory from our payment processor) failing us as of July 2015 for not dropping TLS1.0, but I could submit a remediation plan every three months to defer it.

I did a bunch of testing to see what broke if I dropped TLS1.0. On the web browser side, MSIE10 wouldn't like it, but other, reasonably current, browsers were ok. What surprised me, though, was how many email clients simply stopped communicating with our server if I turned off TLS1.0 for SMTP and IMAP. It's been hard to find details on which clients support TLS1.1 - and perhaps there's some aspect here I'm missing - but this to me is the bigger problem than the web service. (Even though we don't use email for sensitive info, if TLS1.0 was enabled on ANY port, we fail.)

I'm glad to see that this deadline was pushed back, as it was giving me heartburn.

Is it possible to fuck this up worse?

[PvtVoid]

I got my EMV card from my bank, which is one of the few that is actually implementing the cards with a PIN. (Hooray for my bank!)

Guess what? I have found exactly one store where it works: Target. Every other store I've been to, every one, still uses the mag stripe and a signature, with the exception of Rite-Aid where they couldn't accept my card at all and I paid cash. Store personnel are whinging to high heaven about how horrible EMV cards are, how this will never work, how it's totally unreasonable of the banks to force this on them, etc. etc.

Go to Europe? It's been working seamlessly for twenty years now. Why the fuck are Americans so fucking stupid?