PCI Approved Scanning Vendor (ASV) Online Practice Test

When SSL and early TLS are still in use, the key idea is actively managing the risk they pose and planning how to move to stronger cryptography. The required approach is to have a formal risk mitigation and migration plan that documents the identified risks from continuing to rely on these older protocols, outlines a concrete path to disable or migrate away from them, and sets timelines, milestones, and ownership for the remediation. This plan shows governance and accountability to auditors, proving that the organization is not leaving payment data exposed and that steps are in place to reduce risk in a controlled, auditable way.

It's not enough to rely on scans alone, or to try to disable TLS immediately without a structured transition. A vulnerability scan helps identify issues, but it doesn’t provide the planned, phased approach, responsibilities, and timing needed to safely retire deprecated protocols. And doing nothing is obviously not acceptable when there’s a known risk.