No announcement yet.

Exchange 2010 TLS 1.0 PCI Compliance

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2010 TLS 1.0 PCI Compliance


    It has come up in a recent PCI Security scan of our network that our Exchange 2010 setup isn't compliant due to TLS 1.0 being enabled.

    I have read a few articles extensively regarding this issue, with people suggesting things however none seem to be an actual solution.

    I would like to upgrade Exchange to 2013 / 2016 anyway in the next 6 months, however would this solve this issue or would that still be outstanding?

    Currently we are using Update Rollup 8,but plan to update this to the current level very soon.



  • #2
    This is the official guidance:

    I am not aware of a timeframe to resolve the problem other than what it says there. If it is going to be a failing point then you will need to prioritise your upgrade - I would suggest to Exchange 2016 rather than deploying a product that is already over three years old.

    Simon Butler
    Exchange MVP

    More Exchange Content:
    Exchange Resources List:
    In the UK? Hire me:

    Sembee is a registered trademark, used here with permission.


    • #3
      Keep in mind that even though your scan has flagged this, it doesn't mean it had to be remediated at this point in time. It's all around the data risk assessment and the mitigation of that, so providing you can show other relevant controls, you could probably look at reducing the vulnerability. I haven't been involved with PCI for a while but when we have our scans, we get given a CVSS overall rating per vulnerability. It's this which needs reducing, which sometimes has to involve mitigation depending on functional requirements versus security.