[cabfpub] SHA-1 exception request

Peter Bowen pzb at amzn.com
Mon Oct 10 16:36:57 UTC 2016

> On Oct 10, 2016, at 9:02 AM, Gerv wrote:
> On 08/10/16 13:44, Dean Coclin wrote:
>> The POS provider is required maintain PCI compliance of their device.
> And PCI compliance doesn't yet require use of SHA-256? What is the exact
> status there, with deadlines?

According to Visa’s website, POS terminal vendors must cease selling devices that don’t support SHA-2 by April 30, 2017 (the “Device Expiration Date”).  However Visa has not set sunset date for such devices.  Their usage requirement says “Allowed if purchased prior to expiration date”.

I’m having trouble tracking down the info for other card brands, but I suspect they are similar — no requirement to cease using devices that do not support SHA-256, SHA-384, or SHA-512 certs.

I do know there is a deadline for merchants to cease using SSLv3 and TLS v1.0 by June 30, 2018.  However it is obviously possible to use a SHA-1 certificate with TLS v1.1 or v1.2, so that doesn’t really answer the certificate question.


More information about the Public mailing list