A formal Risk Mitigation and Migration Plan is required for SSL/early TLS connections.

Migration away from SSL and early TLS is required by PCI DSS, so you must have a formal Risk Mitigation and Migration Plan for any SSL/early TLS connections. This plan documents why these protocols are insecure, identifies every system or service still using them, and lays out concrete steps to upgrade or decommission them. It includes a timeline with milestones, assigns responsibilities, and describes testing and validation to ensure that once SSL/early TLS are disabled, systems operate securely with TLS 1.2+ and strong cipher suites. It also covers compensating controls when immediate migration isn’t possible and outlines rollback procedures if issues arise. The PCI DSS guidance sets a clear migration deadline, so having a formal plan is necessary rather than optional.