SSL v3.0 is no longer allowed
The PCI Security Standards Council will soon release an update to PCI DSS to disallow the use of SSL v3.0 for protecting cardholder data.
Due to “inherent weaknesses in the protocol,” no version of SSL meets the council’s definition of “strong cryptography,” according to a council bulletin. The council will soon release PCI DSS v3.1 to document the new exclusion.
When released, PCI DSS v3.1 will be effective immediately, but the updated requirements will be “future dated” to allow organizations time to transition. See more details in the council’s bulletin.