The
followings are required in order to consider a TLS site PCI DSS 3.1 compliant:
- Trusted certificate
- SSL 2.0, SSL 3.0 and TLS 1.0 not supported
- Strong private key
- 2048+ bits if RSA
- 256+ bits if EC
- All cipher suites strong
- Cipher of 128 bits or stronger
- DH parameters 2048+ bits
- Export suites are not allowed
- Anonymous key exchange suites are not allowed
In
addition, it is required that no known vulnerabilities are present. This
translates to the following:
- Insecure renegotiation not supported
- Compression not supported
