PCI DSS 4.0 & FIPS Compliance Explained
PCI DSS 4.0 (effective March 2025) and FIPS 140-2/3 impose strict cryptographic requirements. Non-compliant TLS cipher suites can result in failed audits, fines, or loss of payment processing privileges.
PCI DSS 4.0 Cipher Requirements
Requirement 4.2.1 mandates:
- Strong cryptography for all cardholder data in transit
- Minimum TLS 1.2 (TLS 1.0/1.1 banned)
- No weak ciphers: RC4, 3DES, MD5, SHA1, EXPORT
Even one weak cipher in the list fails compliance.
Allowed vs. Banned Ciphers
| Status | Cipher Examples |
|---|---|
| Allowed | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| Banned | TLS_RSA_WITH_RC4_128_MD5 |
| Banned | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
FIPS 140-2/3 Requirements
FIPS-validated modules must use:
- AES-GCM or AES-CCM only
- 256-bit or 128-bit keys
- No CBC, no RC4, no 3DES
ChaCha20-Poly1305 is not FIPS-approved (yet).
How the Weak Cipher Tester Helps
Paste your scan output and instantly see:
- PCI COMPLIANT or NON-COMPLIANT
- FIPS COMPLIANT or NON-COMPLIANT
- Exact ciphers causing failure
- Remediation config snippets
FAQ
Is TLS 1.2 with AES-CBC compliant?
No. CBC mode is vulnerable and not allowed under PCI DSS 4.0.
Can I keep 3DES for legacy clients?
No. PCI DSS 4.0 has zero tolerance for 3DES.
Does TLS 1.3 auto-comply?
Yes — if no legacy suites are offered via downgrade.
Compliance isn’t optional — one weak cipher can cost you millions.