Topic: PCI Council is looking at using TLS 1.0 or SSL v3 as not secure

[Drifting]

Customer had the following email, I disabled SSL v2 a while back, now they are complaining about 3.
What can I do about this? do I just go ahead and disable 3 as well? Was not sure of any implications of doing so, so hence the question


Paul


Hello,

PCI Council is looking at using TLS 1.0 or SSL v3 as not secure and is recommending using more secure services. Currently using TLS 1.1 or higher is considered as a "best practice" and will become official PCI requirement after 2016-06-30.

We set up our scanner to recognize this finding as critical in order to raise awareness of the changes in PCI DSS and make merchants' business environment as secure as possible sooner.

Please note that the remediation for the issue is saying one important thing:

"Organizations that are seeking to remain PCI compliant while continuing to use TLSv1.0 or SSL v3 enabled services before June 30th, 2016 will need to dispute this finding and demonstrate that they have formal risk mitigation and migration plan."

This means that you can dispute the finding and if you have a plan to upgrade to TLS 1.1 or higher the dispute will be approved and valid for one year.

However, we still detected that SSL3 ciphers are enabled.

If you have any further questions or concerns, please feel free to respond directly to this email or contact Compliance Support at xxxxxxxx
Should you decide to call, please reference your case number xxxxxx

If further assistance is not needed, you may disregard this Email.

Have a great day!