Hi
I don’t have a compliance document as such - the failure is from an third-party scanning process run by Trustwave. The details regarding the failure are below.
I think that I can probably dispute this with them provided I can show there is a plan to switch off TLSv1.0 by June 30th, 2016 so if you are able to commit to this by then, I can inform them and they’ll probably let me remain compliant for the time being.
Regards
Ashley
TLSv1.0 Supported
Severity Medium
PCI Status Fail
Description This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.
Remediation The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Organizations that are seeking to remain PCI compliant while continuing to use TLSv1.0 enabled services before June 30th, 2016 will need to dispute this finding and demonstrate that they have formal risk mitigation and migration plan.