SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0” will be marked as a Fail for PCI as of November 1st, 2016 in accordance with the new PCI DSS v3.2. For existing implementations Merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation & Migration Plan, which will result in a pass for PCI up until June 30th, 2018.
PCI DSS v3.2 goes into effect on November 1st, 2016.
The prior 3.1 version from 2015 is set to be retired on October 31st, 2016.
PCI DSS v3.2 specifies that wherever SSL / Early TLS are used that Appendix A2 must be completed. Appendix A2 details the required elements of the Risk Migration & Mitigation Plan, as well as migration dates for SSL/Early TLS:
-Cannot be used for new implementations
-Cannot be used for existing implementations after June 30th, 2018
-Prior to June 30th, 2018 existing implementations must have a Risk Mitigation & Migration Plan
A new version of the Information Supplement Migrating from SSL and Early TLS v1.1 has also been published which states the following:
“Prior to June 30, 2018: Entities that have not completed their migration should provide the ASV with documented confirmation that they have implemented a Risk Mitigation and Migration Plan and are working to complete their migration by the required date. Receipt of this confirmation should be documented by the ASV as an exception under “Exceptions, False Positives, or Compensating Controls” in the ASV Scan Report Executive Summary, and the ASV may issue a result of “Pass” for that scan component or host, if the host meets all applicable scan requirements.”
Documents are available on the PCI Councils Website at the following: https://www.pcisecuritystandards.org/document_library