AnsweredAssumed Answered

SSL Labs and PCI Compliance

Question asked by Oben Kuyucu on Dec 21, 2010
Latest reply on Dec 26, 2010 by Abdulmohsen Aleiban

Hi there,

 

I have run a test for a site with SSL v2 support with SSL Labs. Even tough it says there is SSL v2: Insecure with bold and red letters, at the very down of the results, it says the site is PCI Compliant.

 

According to ASV (Approved Scanning Vendor) Program Guide, having SSL v2.0 is an automatic failure for PCI Compliance. The guide also mentions that even the server supports SSL v2.0 only for handshake, because of "forced downgrade" vulnerabilities, again it is an automatic failure.

 

How come SSL Lab results can state the server is PCI Compliant?

 

Thanks.

Outcomes