Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide:
- QID 38601 “SSL/TLS Use of Weak RC4 Cipher”
- QID 42366 “SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)”
Last revision of ASV Program Guide (ver. 3.1) has the following for SSL/TLS component:
“A component must be considered non-compliant and marked as an automatic failure by the ASV:
– If it supports SSL or early versions of TLS, OR
– If strong cryptography is supported in conjunction with SSL or early versions of TLS (due to the risk of ‘forced – downgrade’ attacks).”
ASV scan customers needed to migrate away from SSL/early TLS by June 30, 2018 as was announced previously in the Qualys blog post of April 18, 2017.
Compensating controls could be used in the case where SSL/early TLS is still being used. If the system is found not to be susceptible to particular vulnerabilities, a false positive/exception could be submitted and approved by the ASV, resulting a “PCI Pass” for the affected scan component or target host.
ASV Program Guide and PCI DSS are available in the PCI Council Document Library.