Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide:
- QID 38601 “SSL/TLS Use of Weak RC4 Cipher”
- QID 42366 “SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)”
QID 38598 “Deprecated Public Key Length” will be marked as PCI Fail as of November 1, 2018 in accordance with its CVSS score.
Under PCI DSS merchants and financial institutions are required to protect their clients’ sensitive data with strong cryptography. Strong cryptography is defined in the Glossary of Terms, Abbreviations and Acronyms for PCI DSS as cryptography based on industry-tested and accepted algorithms.
NIST Special Publication 800-131A announced that RSA public keys shorter than 2048 bits are disallowed, so QID 38598 detected in ASV scans will result a PCI failure. ASV scan customers will need to obtain a 2048-bit or larger public key length certificate from their Certificate Authority.
QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.