If you're in the financial services industry, have an e-commerce site, or if your business stores, processes or transmits cardholder, the countdown is on.

In order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data businesses need to disable SSL (Secure Sockets Layer) or early TLS (Transport Layer Security) and replace it with a more secure protocol by June 30, 13 days from now.

While TLS 1.1 or higher is acceptable, PCI Security Standards Council (PCI SSC), a Wakefield, Mass. consortium whose executives hail from American Express, Discover, Mastercard, and Visa, strongly encourages TLS v1.2.

TLS 1.2, defined in RFC 5246 in August of 2008, tightens up security all around. It replaces MD5-SHA-1 in the pseudorandom function with SHA-256, and adds support for authenticated encryption with additional data modes, among other tweaks.

The PCI SSC moved the deadline from June 30, 2016 to June 30, 2018 what seems like eons ago, in December 2015. The move, mandated by many companies years ago, aligns with industry best practices for security and data integrity.

The move was spurred years ago by a slew of capitalized, five letter vulnerabilities in SSL/TLS, like POODLE, BEAST, CRIME, and Heartbleed, a nasty bug in OpenSSL, an implementation of TLS, that came to light in April 2014. All of the vulnerabilities demonstrated a weakness, either in a client's ability to fallback to a vulnerable SSL version (POODLE, Heartbleed) or in TLS (BEAST, CRIME).

PCI SSC stresses that organizations either upgrade or disable any fallback to SSL/early TLS. If they haven't already companies in transition should have a formal Risk Mitigation and Migration Plan in place as well.

Failure to comply with PCI-DSS could result in fines, ranging from 5,000 to $500,000. Banks periodically report if merchants are complying to PCI DSS to credit card agencies, which can then choose companies to look into further. Failure to comply could ultimately affect an organization’s ability to take credit card payments as well.

A study carried out by Verizon last year found that 100 percent of PCI certified companies that experienced a breach also failed a PCI compliance audit, meaning none were fully PCI DSS compliant at the time of their breach. Furthermore – and perhaps more alarming – half of those organizations failed to maintain PCI compliance year after year.

There’s only one condition that organizations can still run these deprecated protocols. Only POS POI terminals that have been verified as not being susceptible to exploits can use SSL/early TLS. Otherwise systems using the cryptographic protocols will not considered as demonstrating strong cryptography.