Why did I fail a PCI scan, noting that TLSv1.0 is supported?
In PCI DSS 3.1 (released April 2015), the PCI Security Council issued the mandate to disable TLS 1.0 by June of 2016 (some devices will be allowed to continue using TLS 1.0 beyond that). Your PCI Security Scanning vendor has returned a PCI failure this year in order to bring this requirement to their customers’ attention a year in advance.
Note: This vulnerability is not recognized in the National Vulnerability Database.
Since many customers still use operating systems, browsers, and mobile devices that require TLS 1.0 (i.e. disabling TLS 1.0 could seriously reduce e-commerce site sales), it’s unlikely that many e-commerce sites or banks will discontinue support for TLS 1.0 in the immediate future. Therefore, your PCI Security Scanning vendor is only looking for a written migration plan which attests that you (i.e. you and your service providers) will disable support for TLS 1.0 on or before June 2016.
Therefore, your scanning vendor simply wants you to appeal the finding and provide a written migration plan.
How do I appeal with a written migration plan?
- Below are instructions on the style and content for submitting your appeal.
- Remember to print the migration plan letter on company letter head and replace the <<Italicized words>>.
When you are ready to submit your migration plan, ask your scanning vendor for a ticket number.
Then use this text in your appeal/dispute:
Hi <<PCI Scanning Vendor>> Support,
Please grant an appeal approval for these finding on the listed devices until Jun 21, 2016.
Please note the following:
1. Our organization has investigated and confirmed there is a mitigation plan in order to migrate over from TLS 1.0 to utilize newer TLS.
The mitigation plan is being emailed to support@<<PCI Scanning Vendor>>.com under ticket: #<<XXXXXXX>>
Risk Mitigation and Migration Plan for Payment Card Industry Data Security Standard (PCI DSS) 3.1 Requirements
c/o <<PCI Scanning Vendor>>
Dear Sir or Madam:
Please accept this as the Risk Mitigation and Migration Plan for PCI DSS 3.1 for <<DomainName.com>>.
I have requested that my service provider migrate from SSL and early TLS protocols and mitigate the risks until they do so.
They are planning to complete the migration plan from SSL and/or early versions of TLS on or before June 21, 2016.
TLS 1.0 is used during e-commerce transactions. The risks of TLS 1.0 are monitored through 3rd party sources and mitigated by following best practices as published by Qualys SSL Labs, including:
- SSL v3 has been disabled across internet facing equipment.
- Public/Private (2048 bit / SHA256 algorithm) keys are changed at each annual renewal.
- CERTS are ordered and installed from an established Certification Authority (a CA w/ wide market share, CRL, OCS Protocol, and offers domain and EV certs).
- Stronger, more current protocols are enabled (TLS 1.1 & TLS 1.2) on all newer systems for connections from clients that support the newer protocol.
- A migration plan to disable SSL/TLS 1.0 has been defined.
<<Name of domain.com Company Representative>>