If your compliance report indicates that you are not compliant, but this is due to the continued use of legacy SSL and TLS encryption protocols that meet the conditions of the PCI council, you can dispute the vulnerability using the Risk Mitigation and Migration Plan designed by Alert Logic®. This document serves a template to help you dispute your status as "non-compliant" by meeting the requirements of PCI-DSS 3.1 for the temporary continued use of legacy SSL and TLS encryption protocols until the end of June 2018 at the latest.
The conditions required to continue use of early TLS are:
- You must attest that the system being scanned is a pre-existing system prior to the release of PCI-DSS 3.1 (April 2015).
- You must show that you have met all the encryption requirements laid out by PCI-DSS 3.0.
- You must provide a detailed Risk Mitigation and Migration Plan.
To use the template provided by Alert Logic, download the following attachment and fill out the template with details.