PCI & SSL/Early TLS QIDs 38601, 42366
Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide:
- QID 38601 SSL/TLS Use of Weak RC4 Cipher"
- QID 42366 SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)"
- Last revision of ASV Program Guide (ver. 3.1) has the following for SSL/TLS component:
A component must be considered non-compliant and marked as an automatic failure by the ASV:
- If it supports SSL or early versions of TLS, OR
- If strong cryptography is supported in conjunction with SSL or early versions of TLS (due to the risk of forced - downgrade' attacks)."
ASV scan customers needed to migrate away from SSL/early TLS by June 30, 2018 as was announced previously in theQualys blog post of April 18, 2017.
Compensating controls could be used in the case where SSL/early TLS is still being used. If the system is found not to be susceptible to particular vulnerabilities, a false positive/exception could be submitted and approved by the ASV, resulting a PCI Pass" for the affected scan component or target host.
ASV Program Guide and PCI DSS are available in the PCI Council Document Library.