Notification: Reverting Changes for QID 38794 PCI Automatic Fail
Last updated on: July 1, 2021
On May 18th, 2021, Qualys Research Team updated QID 38794 to be an automatic PCI failure based on prevalent guidance from PCI DSS standard. PCI DSS considers legacy TLS implementations that are deprecated or are vulnerable to a known exploit as a PCI failure. These versions are collectively referred to as “early TLS” but the version numbers are not explicitly listed.
Based on the analysis from Qualys Research Team and feedback from our customers, TLS 1.1 fit the criteria for “early TLS” since it was deprecated by IETFRFC on March 31st, 2021, and was vulnerable to POODLE vulnerability, and man-in-the-middle attacks. As a result, the QID was updated to be a PCI fail.
In addition to that all major browser vendors announced the end of TLS 1.1. for their respective browsers.
But after discussions with the PCI Council we are reverting that change until further notice.
Why are we reverting this change to QID 38794?
After discussing with the members of PCI Council, it was confirmed that the presence of TLSv1.1 by itself should not be considered an automatic failure by ASVs. For example, if it is not being used as a control to protect CHD (or authentication, etc.) then TLSv1.1 just being present should not be an automatic failure unless it can be confirmed that it is being used as a security control to meet a PCI DSS requirement. Or if the organization has implemented additional controls to mitigate the risk of the vulnerabilities associated with using TLSv1.1.
When are we reverting this change to QID 38794?
Effectively immediately, we are reverting this change, since many customers were impacted by the change made to this QID on 18th May 2021.
Can you advise on how Qualys as an ASV confirming that identified application where TLSv1.1 is running, is not being used as a control to protect CHD for passing TLSv1.1.