CipherM Learn

TLS 1.0 and PCI in 2025

Early TLS has been deprecated for years, yet it still turns up on internal services and legacy listeners. Here is why it matters, how it surfaces under PCI DSS 12.3.3, and how to find every place it is still negotiable.

What "early TLS" means

In PCI terminology, early TLS refers to TLS 1.0 and TLS 1.1, along with their predecessor SSL. These protocols have known weaknesses — TLS 1.0 is vulnerable to attacks such as BEAST and is tied to insecure cipher constructions — and the industry retired them years ago. The IETF formally deprecated TLS 1.0 and 1.1 in 2021 (RFC 8996), and major browsers removed support around 2020.

For card data, the PCI Council pushed the migration off early TLS well before that: SSL and early TLS were not considered strong cryptography, and the migration deadline for most environments passed in 2018. In 2025 there is no remaining grace period — early TLS protecting cardholder data is simply non-compliant.

How it shows up in 12.3.3

Requirement 12.3.3 asks you to maintain an inventory of cipher suites and protocols and to actively monitor for anything weak or deprecated. Early TLS is the textbook example of "deprecated." When you build the inventory honestly, it appears as a finding that has to be either removed or formally risk-accepted with a remediation plan.

The problem is that early TLS rarely lives where you are looking. It hides in:

  • Internal service-to-service traffic that never faces a public scanner.
  • Legacy listeners and admin ports left at default protocol ranges.
  • Application code that pins or permits an old protocol for one stubborn integration.
  • Config files (java.security, OpenSSL, web-server TLS policy) where a minimum-protocol setting was relaxed and never restored.
  • Outbound connections to third parties, where your client still offers TLS 1.0 for compatibility.

An assessor who finds early TLS that is missing from your inventory will question the whole inventory — which is why completeness matters more than any single finding. The patterns here overlap with the broader list in common QSA findings.

How to find it

Catching every instance means looking at all three places cryptography lives, not just one:

  1. Live endpoints. Probe each service for the protocol versions it will actually negotiate — internal services included, not just public-facing ones.
  2. Configuration. Audit minimum-protocol and enabled-protocol settings across web servers, load balancers, JVM security policy, and OpenSSL configs.
  3. Source code. Find places where an old protocol is requested, pinned, or permitted in client and server setup code — a network scan will never see these.

Then normalize the results into one inventory, tag each early-TLS hit as deprecated, and export it as a CycloneDX CBOM so the finding is traceable and re-checkable. Why that format is the evidence a QSA accepts is covered in CBOM as QSA evidence.

The free scan checks a live endpoint and tells you whether it still accepts early TLS, mapped to 12.3.3. The full code + config + live-TLS sweep that flags every early-TLS instance across your environment is the Rapid Assessment.

Find early TLS — run the free scan

Close the gap before your assessment

Run the free scan to see where early TLS still lives, or book a Rapid Assessment for a hand-reviewed inventory and a QSA-ready 12.3.3 evidence pack.

Book a Rapid Assessment PCI DSS 12.3.3 overview