SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0”\ will be marked as a Fail for PCI as of May 1, 2017 in accordance with the PCI DSS v3.2. For existing implementations, merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation & Migration Plan, which will result in a pass for PCI until June 30, 2018.
PCI DSS v3.2 specifies that wherever SSL / Early TLS are used, Appendix A2 must be completed. Appendix A2 details the required elements of the Risk Migration & Mitigation Plan, as well as migration dates for SSL/Early TLS:
- Cannot be used for new implementations;
- Cannot be used for existing implementations after June 30, 2018;
- Prior to June 30, 2018 existing implementations must have a Risk Mitigation & Migration Plan.
A new version of the Information Supplement Migrating from SSL and Early TLS v1.1 has also been published, which states the following:
“Prior to June 30, 2018: Entities that have not completed their migration should provide the ASV with documented confirmation that they have implemented a Risk Mitigation and Migration Plan and are working to complete their migration by the required date. Receipt of this confirmation should be documented by the ASV as an exception under ‘Exceptions, False Positives, or Compensating Controls’ in the ASV Scan Report Executive Summary, and the ASV may issue a result of ‘Pass’ for that scan component or host, if the host meets all applicable scan requirements.
Documents are available in the PCI Council Document Library.