nello standard PCI DSS (v3.1) , 4.1 (i) legge:
For all other environments using SSL and/or early TLS: Review the documented Risk Mitigation and Migration Plan to verify it includes:
- Description of usage, including what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;
- Risk-assessment results and risk-reduction controls in place;
Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;
Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;
- Overview of migration project plan including target migration completion date no later than June 30, 2016.
Tuttavia, in SAQ D questo testo è in 4.1 (g) e non c'è (i).
Perché c'è una differenza?
Ho controllato e questo sembra essere lo stesso anche nella v3.2 (e anche per il commerciante SAQ-D).