All Vortx servers on any hosting plan are secure and should pass PCI compliance, but some third party scanners (like Trustwave) can report false-positives. We often find requests to disable TLS 1.0, and this is reported as a failure, however, disabling TLS 1.0 on the server will prevent a large number of your customers who are using older browsers from accessing your site. It may also prevent your site from communicating with your payment gateway if they don't yet support TLSv1.1 or TLSv1.2. This would most likely result in your site losing sales.


According to the PCI council (http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls), this requirement doesn't take effect until June 30, 2018, but Trustwave has taken it upon themselves to fail all their customers early "in order to raise awareness of the changes in PCI DSS and make merchants' business environment as secure as possible sooner".


You will need to dispute this finding in your Trustwave account and reference a completed Risk Mitigation and Migration Plan, a template for which can be found here: https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-of-Service-Provider-Template/

You should fill out all the required information in this template and then provide the following for the "Insert the date when your service provider is expected to complete the migration..." section: "Any new or upgraded systems are provisioned in environments that do not support SSL/TLS 1.0. Existing systems are being monitored for vulnerabilities in SSL/TLS 1.0 and SSL/TLS 1.0 will be disabled on all systems by June 30, 2018."

Trustwave should approve the dispute and the PCI scan should pass.


This FAQ has more information on the issue along with with screenshots showing how to submit the Risk Plan:
https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-FAQ-for-TVM-Customers/