> On 29 Jul 2021, at 12:46 pm, Dominic Raferd <domi...@timedicer.co.uk> wrote:
>
> Some commercial vulnerability scan services (e.g. by Qualys, SecurityMetrics)
> which are required by payment providers regard TLSv1/TLSv1.1 as absolute
> fails for PCI DSS compliance and organisations that must meet PCI DSS
> (https://www.pcisecuritystandards.org/) have no choice but to respect this.
> The same services do not treat port 25 open for plain text as a fail.
In other words: brain in neutral commercial reality.
--
Viktor.
