Qualys Inc.

03/14/2019 | News release | Distributed by Public on 03/14/2019 10:23

PCI & SSL/Early TLS QIDs 38601, 42366

Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide:

  • QID 38601 'SSL/TLS Use of Weak RC4 Cipher'
  • QID 42366 'SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)'

Last revision of ASV Program Guide (ver. 3.1) has the following for SSL/TLS component:

'A component must be considered non-compliant and marked as an automatic failure by the ASV:
- If it supports SSL or early versions of TLS, OR
- If strong cryptography is supported in conjunction with SSL or early versions of TLS (due to the risk of 'forced - downgrade' attacks).'

ASV scan customers needed to migrate away from SSL/early TLS by June 30, 2018 as was announced previously in the Qualys blog post of April 18, 2017.

Compensating controls could be used in the case where SSL/early TLS is still being used. If the system is found not to be susceptible to particular vulnerabilities, a false positive/exception could be submitted and approved by the ASV, resulting a 'PCI Pass' for the affected scan component or target host.

ASV Program Guide and PCI DSS are available in the PCI Council Document Library.