PCI DSS 3.1 was released on April 2015, followed by new guidelines regarding the use of SSLv3 and early TLS versions. The new guidelines, composed due to recent vulnerabilities found in SSL, state that SSLv3 and TLS1.0 are no longer considered as strong cryptography. Thus, any organization that is currently using these protocols should present a migration plan to disable these protocols no later than June 30, 2018. As for new implementations, the guidelines determine that only TLS versions TLSv1.1/TLSv1.2 are allowed for usage.
With accordance to the new PCI requirements, all SSL protocol versions are not available on Incapsula since the release of the POODLE attack. In regards to TLS versions 1.0, 1.1 and 1.2, Incapsula currently supports these versions by default, as most major vendors and industry leaders do.
Security and encryption is on our highest priority, however, removing early TLS versions, namely TLS1.0, may pose a major difficulty for our customers to support a wide array of browsers and vendors.
In order to disable TLS 1.0, Incapsula can provide you with the option to test this new SSL configuration, by applying a back-end change that will disable it to all SNI supporting clients with or without a specific source IP. As some auditors use SNI supporting clients to test for this, it may assist you with the audit.
Furthermore, we do have a solution for Enterprise customers that would like to remove it completely, regardless of SNI support. Implementing such configuration will prevent access to visitors without SNI support.
For additional information please contact Incapsula Support.