Why is Sweet32 no longer detecting as a PCI failure as of 4/28/17?
Is it not truly a PCI failure?
cve-2016-2183 cve-2016-6329 sweet32 3des triple-des* qid38657 38657 pci
We analyzed number of factors, such as:
- Currently PCI DSS references 3DES as a valid and strong encryption cipher;
- 112-bit keys are acceptable until 2030 per NIST SP800-57 part 1 Rev 4 document.
We decided to change the QID 38657 to be a PCI Pass on April 26th, 2017.
Merchants can just re-scan the hosts needed, it should show Pass now.
PCI 3.2 did not refer to use either DES, 3DES or AES. However strong encryption always recommended.
Retrieving data ...